Related Resources • Page 1: The Debate • Page 2: Weighing In • Page 3: The Risks • Securing the Home PC • Securing the Enterprise

From Other Guides • Network Disaster Recovery

Elsewhere on the Web • The Cyberwar Debate

According to Steve Gibson, president of Gibson Research Corporation (GRC.com) and creator of the popular (and free) firewall checking application ShieldsUp!, "Perhaps the best way to think of the Internet is as being extremely robust and essentially invulnerable on a global scale, but quite vulnerable, prone to attack, and forced outage on a local scale. Consequently, taken as a whole, the Internet is in little, if any, danger from "cyberwar" or "cyberattack". But specific "sub-nets" of the Internet are indeed vulnerable to attack and make easy targets."

Regarding the likely attack scenario, Steve surmises, "It is impossible to know exactly what the mind of the terrorist is planning. Certainly no one could have predicted that the World Trade Center towers -- specifically -- would be the target of suicide pilots. Therefore, it is probably impossible to speculate usefully about the possible targets of a cyberattack without knowing the full and complete plans of a terrorist attack. What we can say, however, is that if any cyber attack were to occur, it would most likely not be the main thrust of a terrorist plot, but would most likely be an ancillary component of a larger scheme. For example, critical communications infrastructure could be temporarily shut down by a cyber attack in a coordinated effort against some other non-cyber physical target."

Andreas Marx, Director of the Anti-Virus Test Center at the University of Magdeburg, Germany, not only thinks cyber-terrorism is possible, he thinks its already happening. The form of it, however, is vastly different from the scary version conjured up by many. According to Andreas, "People are waiting for the "big bang" and don't even see that we are already under attack." Andreas blames poor protection in the asiatic region - mainly Korea and China - for the continued spread of email viruses. Andreas fears that the lack of proper security and widespread infection in this area means that "attackers could use these high number of compromised systems for massive attacks at any time." He also sees spam as part of the problem, due to the high cost and drain on resources it creates. This attack he says, is an inside job. "For spam and chain letters, the situation is different. Our own people are attacking our infrastructure already, leading to very high costs for (currently inadequate) spam filter software, lost productivity due to time spent sorting through and deleting unwanted email, and bad investments made by the those gullible enough to respond to chain letters such as the Nigerian 419 class of hoaxes."

Andreas fears the problem of spam may well be underestimated and points out that current studies indicate 1/3 of all email is spam. The saturation has lead some consumer watchdog agencies to file a formal petition with the Federal Trade Commission in an effort to regulate and diminish unsolicited email. Morrison and Foerster, a San Francisco law firm, takes the fight against spam even further, suing the originators of unsolicited spam and claiming damages up to $50 per email. Presumably most of that must be to cover attorney fees. Using a fairly comprehensive calculator to determine actual cost per spam, average users can likely expect an average .18 cent cost per spam, just to hit the delete key. Costs rise if the email is actually read; 12 minutes spent responding to a single spam raises the average cost to approximately $10/spam. These costs are unknowingly absorbed by users and corporations, putting a drain on resources and affecting the bottom line - in short, a recognizable, tangible attack with real consequences. Maggie Shiels, in an article for BBC News refers to the unpopular bulk mailers as "spam merchants who wage guerrilla warfare on our e-mail inboxes."

Walt H., who asked that his real name not be used, also feels that a cyberwar is already underway. A year ago, Walt experienced widespread data loss on his company's computers, forcing him to shutdown his small business for a full week, resulting in costly repairs and complete loss of income. The problem stemmed from a virus infection, though the subsequent loss of data was more likely the fault of an inexperienced technician. Regardless, had the infection not occurred, the visit to the repair shop would not have been necessary, and Walt would not have lost essential data and income. To those who think current viruses and hacking aren't terrorist activities, Walt challenges, "If an attack wipes out a person's business to the point that they contemplate suicide, that's a serious, severe attack and it's a form of terrorism."

It seems Richard Clarke, security Czar for the US Government, concurs. Speaking at the Networked Economy Summit sponsored by George Mason University, Clarke warned, "Digital Pearl Harbors are happening every day, they are happening to companies all across the country,"

Is it really fair to compare loss of data and loss of productivity to the loss of life at Pearl Harbor or the horrific events of September 11, 2001? Can one compare distributed denial of service attacks against eBay and Yahoo with physical bombing? Not only is the appropriateness of the terms used coming under fire, but the question remains, if what actually constitutes an act of cyber-terrorism cannot be suitably defined, how can one begin to quantify the risk factor?