It's easy to see how losing electrical power can destabilise a developed nation or region but do cyberterrorists really see the Internet as a vulnerable target?
Yes. In December 2002, I interviewed Sheikh Omar Bakri Muhammad, a London-based radical Islamic cleric who has by his own admission recruited suicide bombers and considers his al-Muhajirun organisation the political arm of al-Qaeda. He talked in detail about the usefulness of cyberweapons. In addition, within five months of 9/11, a senior al-Qaeda operative and senior strategy advisor to Osama bin Laden, Abu Ubeid al-Qurashi, wrote an article in al-Ansar in which he describes "jihad on the Internet" as one of the "nightmares" that will soon come to America. The evidence is there that some senior people in these groups are thinking about the future. The job of a terrorist is to spread terror. How does one spread terror through the Internet?
The goal of cyberterrorism is not necessarily to spread terror as much as it is to spread fear and uncertainty by causing people to lose faith in the government's ability to protect and serve them or, for example, significantly hinder the financial industry's ability to function properly and protect private assets. One of the problems with the post-9/11 security environment is that the tremendous loss of human life on that day has caused us to a certain extent to ignore the political and economic warfare aspects of international terrorism. When we are talking about cyberterrorism, who poses the most likely threat: a domestic cracker or a terrorist outside the United States?
I think that depends on a number of factors. For example, a domestic cracker who happens to be employed by a major infrastructure owner in the United States could be very dangerous because he or she would be operating as a trusted insider. On the other hand, we have already seen how computer viruses and worms can be launched from anywhere in the world with devastating consequences for US-based businesses and government agencies. With this in mind, do you foresee a time when domestic hackers and crackers may be labelled as terrorists?
Verton: That's certainly a possibility. In fact, it has already happened in the United Kingdom, where certain types of hacking incidents are by law viewed as terrorist actions. I think any hacking incident that threatens public health or safety, such as a hacker gaining access to a hospital network and changing blood types, causing numerous deaths from incorrect blood transfusions, could certainly rise to the level of terrorism. After all, dead is dead. It's been said that Americans have had to give up hard-won rights in exchange for security. Do you agree?
I think if Americans really want 99.99 percent security (there is no 100 percent guarantee), then yes, they will have to give up some rights. But that hasn't happened yet. What has happened is the process of slowly eroding some basic rights of privacy. This stems from a knee-jerk reaction to the 9/11 attacks and the rush to employ any and all technologies that show some promise of helping to identify the sleeping terrorists in our midst. If we had started with the 40,000 people currently on the various watch lists, we wouldn't have government programs such as the Total Information Awareness program (now known as the Terrorist Information Awareness program) trying to keep tabs on every electronic transaction that takes place. The BBC reported in March that the threat of cyberterrorism is being "overhyped" by the US government. What is your opinion of the US government's view on cyberterrorism?
I think reports like that and statements by so-called security experts criticizing the government for thinking through the entire spectrum of possible attack scenarios are part of the problem and not part of the solution. As I write in my book, the indications and the warnings were present in 1994 that al-Qaeda was interested in using airplanes as weapons. Yet we failed to act because the "experts" said such an attack mode was unlikely. The indications and the warnings are now beginning to surface that terrorist groups understand where we are most vulnerable. The only question that remains to be answered is if we will remain shackled by inflexible thinking. If we do, then Americans should be prepared to respond to another attack, rather than prevent one. It's unfortunate that most businesses and security practitioners today think in terms of balancing risk based on the probability of being attacked. Terrorists, on the other hand, think in terms of the art of the possible. What can your average CIO/CTO/IT manager do to protect her/his company?
Work closely with the government on information sharing and think in terms of continuity of service as opposed to disaster recovery. In addition, learn what it really means to have a "defence in depth" strategy and conduct tests and drills to identify your weak points. Then fix them. Do you see any hope for wireless security?
In the corporate world, yes. But it has proven to be plagued by cost and complexity--two drivers of inaction. The average home user, on the other hand, is a turkey in a turkey-shoot for organised crime bent on taking advantage of identity theft and credit card fraud. The knowledge, investment in security, and acceptance of risk just hasn't penetrated the consumer market yet.