Terror on the Internet hardly sounds like a book title toreassure public sector IT security organizations. But, ironically,it does.
Written by security researcher Gabriel Weimann and published bythe United States Institute of Peace, the book acknowledges thatwar is being waged on the Internet but argues that the greatestthreats are beyond the scope of system administrators and ITstaff.
After years of study, Weimann concludes that there has neverbeen a successful example of “cyberterrorism,” a pure electronicattack that caused physical injury or loss of life. On the otherhand, he writes, the Internet has opened up other resources andopportunities for terrorists, and CIO organizations have little orno control over those threats.
One of the greatest benefits of the Internet to internationalterrorism, Weimann argues, has been its ability to broadcastunfiltered messages to audiences that would otherwise never seethem; to organize geographically dispersed groups in an effectiveway; and to allow instant, secure transmission of operationalinformation. When fund-raising, money transfers and recruiting jointhose activities, the result is virtual nation-states that existeverywhere and nowhere, able to materialize and vanish, divide andmultiply almost at will. To accomplish most of their goals, they donot need to hack into government systems or crash networks.
Terror on the Internet provides a useful framework forunderstanding and analysing emerging security challenges, andframework is the correct term. The value of the Internet toterrorists lies in creative convergence: Digital media and thepropaganda value of atrocity intersect when al Qaeda candisseminate videos of violence that conventional media havecensored; e-learning leads to restaurant and car bomb explosionswhen online tutorials teach willing students how to use easilyobtained materials to create bombs; and, the developed world’scommitment to open public information creates vast databases thatterrorist planners can use to create bigger and better threats.
According to Weimann, we need look no further than the amazingsuccess of Google in recent years to find the value of informationtechnology for international terrorism, organized, accessiblecontent. The true vulnerability for governments fighting terrorismis the information they so generously provide, intentionally ornot. (The same day a review copy of Terror on the Internet arrivedcame news that detailed plans of Air Force One had been posted onthe Internet, complete with details of its anti-missile systems,the seating plan for Secret Service personnel and the location ofits vulnerable oxygen equipment). There are literally millions ofdocuments available on the Internet, waiting to be cross-referencedand analysed for vulnerabilities. The book quotes U.S. Secretary ofDefence Donald Rumsfeld as saying, “Using public sources andwithout resorting to illegal means, it is possible to gather atleast 80 per cent of all information required about the enemy.”
Weimann’s book includes a useful discussion of what”cyberterrorism” attacks really are and quotes a literaldefinition: They result in real physical damage to people orproperty, they generate fear, and they further political or socialobjectives. Attacks against non-essential services, even successfulones that cause economic damage, don’t count.
So what does all this mean for a public sector CIO organization?The real value of this book may be in sharpening the focus on whatis really important in IT security. As this column went to press,news had just broken that U.S. military personnel with baskets ofcash were going through the street markets outside the top secretBagram air base in Afghanistan, buying back stolen flash and harddrives. Some still carried classified information.
No firewall or antivirus software can prevent that kind ofbreakdown. When the data on those devices isn’t encrypted, and muchof it apparently wasn’t, there is no way to recover it. Thesolution may lie in understanding the importance of protecting thecontent on our desktops, networks and storage systems and not justthe systems themselves.
For all its emphasis on the informational and organizationalaspects of digital terrorism, Terror on the Internet does not ruleout the possibility of catastrophic attacks. For example, as thebook points out, we have not yet seen a “coupled” attack, in whicha physical strike is combined with an Internet-based attack tomultiply the damage or hinder the recovery. After all, our worstpossible scenario is still someone’s top priority.
Richard Bray ([email protected]) is an Ottawa-basedfreelance journalist specialzing in high technology and securityissues.