People intent on committing cyberterrorism are likely to attack critical elements of the world’s computer infrastructure in the future, but they do not yet have the capability to do so, a U.S. expert on cyberterrorism said last week. Full Story

“Terrorist organizations would very much like to tomorrow sit down at the keyboard and be able to have a sustained impact against the critical infrastructure, but I don’t believe that they have the capability yet,” Matthew Devost, president and chief executive officer of the Virginia-based Terrorism Research Center, said at a lecture in Tokyo. “They might be able to attack systems on the Internet, but that is much different from attacking those other systems underlying the critical infrastructure.”

Devost, who has been researching the impact of information technology on national security since 1993, provides strategic consulting services to foreign governments and corporations, advising on counterterrorism, information warfare, critical infrastructure protection and homeland security.

In his March 25 lecture at the Tokyo American Center, Devost repeatedly warned that computer systems are “inherently vulnerable” and continually under the threat of an attack, noting that terrorist organizations could be secretly preparing for an attack even now.

Devost categorized the types of threats from the smallest to the biggest, according to whom the threat came from: unstructured hackers, structured hackers, so-called hacktivists who are traditional activists protesting a particular policy or action by using hacking techniques, industrial spies, single-issue terrorists, international terrorists and nation-states that are “engaged in looking at potentially using cyber attacks as a mechanism of information warfare.”

He said he would classify the defacing of Web sites that has occurred since the start of the war in Iraq as mischievous criminal activity, not cyberterrorism, because such acts do not meet the cyberterrorism criteria of having a political or coercive impact on society.

To counter cyber attacks, society should have a strong research community engaged in independent testing of software and hardware that society is reliant on as critical infrastructure, Devost said.

He continued, “If we don’t do that, we’ll leave ourselves open to those vulnerabilities being exploited by somebody else.”

According to Devost, finding the balance between the benefits of utilizing the digital infrastructure and spending on eliminating vulnerability is possible through proper risk management.

“It’s a matter of finding the balance of risk in the organization based upon the realistic assessment of your own vulnerabilities,” he said. “It’s more cost-effective to have that type of approach–measured holistic approach–than to have spending allocation where you’re reactive to the attacks that occur.”

He cited a study he did for the U.S. government several years ago looking at the response to incidents within three companies and two government agencies. According to Devost, when an attack occurred, all the organizations would suddenly spend a tremendous amount of resources recovering from the attack. However, they would spend too much when no attacks were taking place and then would start to cut computer security budgets, making the company vulnerable once again. Further attacks sparked the same pattern of corporate behavior again and again.

“If they had just had an appropriate level of security–resources to keep them above a line–it would be cheaper than spending money all the time going up and down,” he said. Copyright 2003 The Yomiuri Shimbun