The Internet has become a vital element of national infrastructure, connecting tens of millions of individuals and millions of businesses, large and small, to their customers and business partners. Private internal computer networks are increasingly vital infrastructure for businesses of all sizes, and almost all of them are connected directly or indirectly to the Internet. Government and business use networked computers to control much of the country’s physical infrastructure as well, offering the potential cyberterrorist many high-profile targets,

such as:

– The Internet itself, which could be disabled

– Government systems, such as the ones used to send Social Security payments

– The banking system

– The Postal Service and private shipping companies

– The electrical power grid

– Nuclear power plants

– Missile and other military systems

The terrorist’s goal is to cause high-profile damage with a minimal expenditure of resources, and cyberterrorism is a particularly attractive route to this goal, since the risks are so low.

Probing vulnerabilities

Let’s look for a moment at how a cyberterrorism operation would be set up, to help us see what defenses we need.

First, a team and facilities would need to be assembled. Facilities are easy a few computers, hacking tools that can be downloaded at no cost from the Internet and high-speed Internet connections, preferably in countries with weak computer-crime laws so that extraditing the attackers would be impossible, even if they were identified. The team needs to be educated, ideally with a solid computer science background plus exposure to the world of hackers and crackers.

Second, targets would be selected. This involves drawing up a long list of potential targets and doing a preliminary exploration to see which are most vulnerable. Attacking a variety of targets at the same time, before cyberdefenses can be increased, would be most effective. Therefore the attacks would need to be carefully prepared in advance, by breaking into systems undetected. In many cases, this would be made much easier by infiltrating employees into the target organizations, where they would have inside access to systems and networks.

What can we do to help protect against this threat? First, we must recognize that all Internet-connected computers can be exploited by an attacker. Even a personal computer connected via DSL or cable modem can be used as a base from which to anonymously launch manual or automated attacks against other systems.

This is usually done by installing special attack software on the PC, which is remote-controlled by the attacker. An example is last year’s denial-of-service attack against several high-profile Web sites such as Yahoo and Amazon.com. Thousands of smaller systems flooded the targets with connection requests, too many for them to handle.

Establishing protections

The owners of all Internet-connected systems should take responsibility for making sure their systems aren’t used to attack other systems. The best way to make sure they are free of malicious software is with an anti-virus program whose virus signatures are updated often.

They can also be made much more resistant to attack, with low-cost personal firewall software, and by installing the latest updates to operating system and network-related software. The more powerful a system is, the higher speed its Internet connection, the more it’s connected to other systems, the more important it is to secure it.

Businesses such as banks and utility companies, which have assets that are potential terrorist targets, need to do much more than this they need full-fledged security policies and programs, with special attention given to computer systems controlling those targets. An active intrusion-detection program is a must, as is careful background screening of potential employees and robust access controls to prevent employees from tampering with systems they have no need to use.

All computer systems need to be carefully protected, since attackers will break into the weakest systems first, and use them as bases from which to further their attack.

Finally, government agencies responsible for protecting our infrastructure, such as the NIPC (National Infrastructure Protection Center) should draw up a list of potential cyberterrorism targets and coordinate with them to help insure good information security. They should also more actively track down and monitor those who perpetrate serious cyberattacks against this target list, even before an actual crime such as a break-in has occurred. A variety of measures could be taken against these attackers, ranging from surveillance to counterattacks overt or covert, legal or extra-legal, cyber or physical.

The time to take steps to defend against cyberterrorism is now, before any major attack has occurred. Most businesses run computers that are connected to the Internet, and should be responsible for taking adequate steps to protect those systems so that they’re not used by attackers.

Dean Wallraff is a principal at Reliable Security Co., a Los Angeles information security consulting company. He can be reached at [email protected].