In a bid to end scepticism surrounding the threat of a cyber-terrorist attack, Gartner Inc. presented its own “digital Pearl Harbor” research in Sydney last week.
With the support of the U.S. military, CIOs from national infrastructure organizations such as financial services, power utilities and the telecommunications sector, a “war games” scenario was created as a useful exercise to identify risks. The chilling results delivered by Gartner research director French Caldwell found financial services the easiest target, with high disruption potential for attacks on power utilities. He said the exercise proved a cyber attack was feasible.
Teams were established and participants put themselves in the minds of terrorists. Each was given a different target, with Caldwell pointing out the attack would not be launched by a single group but a syndicate.
“Just like a Hollywood film, the syndicate will have a director and a producer and the extras wouldn’t necessarily know what the script was,” he said. “We assume the attackers would be well funded, not a state organization and the attack would have to be planned in years; a serious attack would take two to five years of planning to execute successfully.”
The type of person engaged in the attack was likely to be a highly-skilled contractor servicing these particular systems and having “sleeper access” to the network.
“In the past these systems have never had rigorous security or staff auditing, so time bombs can be built into the system,” Caldwell said. “It is unrealistic to believe a group wakes up one day and decides to launch an effective attack.”
Demonstrating this point, Caldwell referred to last month’s attack on all 13 domain name root servers, which led to speculation that attempts were made to shut down the Internet. The DNS attack successfully shut down seven of the root servers for about an hour and is being investigated by the FBI.
Caldwell said there was a capability to destroy the Internet itself, which was demonstrated by the Internet terrorist team during the scenario. “That particular attack is an interesting example of how it could occur,” he said. “From a forensics perspective, the DNS attack was different to anything seen before.
“It may not have been a major disruption, but strategically it was of significance. The root server attack was so strategic it is worth a lot of investigation because our war game demonstrated the need for test runs and development phases to make it really effective.”
Caldwell said while 90 per cent of attacks could be prevented with good IT security practices, this was not a reality because of poor software. “It would take the industry a generation to upgrade enterprise systems already in place. Governments should be looking at minimum level security for the enterprise.”