Home > Uncategorized > Cyberterrorism


Last year I spoke at 28 different conferences, and as things currently stand, by the end of this year I will have spoken at even more. When I speak at a conference, I generally spend a good amount of time doing social networking, but I also carefully look through the agenda for talks that might be of interest and value to me. I have listened to a few talks on cyberterrorism at several conferences I have attended recently. Despite the fact that those who presented these talks had obviously spent a good deal of time and effort in creating their vugraphs, I must admit that I was disappointed with their content. As I think back on what troubled me, however, I think that my problem is really with the concept of “cyberterrorism” more than anything else. Any kind of terrorism, no matter what its source is, implies an attempt to wreak fear and havoc among people because of the potential for an impending, disastrous event to occur. Frankly speaking, misusing computers does not have nearly the potential for instilling fear in people as do bombs, automatic weapons, and hijacked planes crashing into skyscrapers.

So far there have been a few events that, if interpreted with some imagination, might be construed to constitute cyberterrorism. For example, in 2000 an attacker intruded into the computer network of a sewage treatment plant in Australia over a period of about two months, altering settings in computer systems that caused hundreds of thousands of gallons of sewage to leak into nearby rivers and parks. The attacker’s actions polluted the creek water to the point that the creek turned black and smelled badly, and many fish and other waterlife were killed. To claim that this incident instilled terror in the hearts of minds of local residents or anyone else, for that matter, would be a gross exaggeration, however. The same is true of more recent reported cyberattacks against power plants in which electricity generation was allegedly disrupted.

Cyberterrorism could happen, but will it happen, and if it does, what degree of impact will it really have? The public is, after all, not generally terrified when sewage leaks occur or when electrical power generation is disrupted, let alone when many (with a few notable exceptions) natural disasters such as hurricanes and massive disasters of much greater magnitude occur. Most organizations such as power plants have business continuity procedures that can at least to some degree lessen the impact of computer-related disruptions and outages. Additionally, most computing systems permit humans to intervene when these system fail or run abnormally. Cyberterrorism may thus be a fascinating topic, one that brings in millions of dollars to researchers who jump on the cyberterrorism bandwagon and that results in talk proposals that would otherwise be rejected being accepted at conferences, but I fear that there is much more hype than substance in this concept.

Has the cyberterrorism threat changed substantially since late 2001? Have we really learned anything new concerning the ways in which it might manifest itself, those who might unleash it, and how we can defend ourselves against it? I suspect that technically the answer is yes, but if this is true, it is barely true. I just hate to see the negative effect a small number of information security professionals who so avidly promote this content have on critical players such as senior management within organizations and thus ultimately upon the credibility of information security itself. Cyberterrorism needs to be viewed more realistically and hyped much less than it currently is. Most organizations currently face far greater threats than the cyberterrorism threat, and this is likely to be true for the foreseeable future. It is well time to get real and to quit talking like the proverbial Chicken Little, who lost all credibility by repeatedly crying that the sky is falling.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.