• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

R.K. Raghavan

Terrorists might have their hands on the trigger of the gun, but they could, in future, go for the computer mouse to unleash attacks. Is anyone listening?

While Bin Laden may have his finger on the trigger, his

grandchildren may have their fingers on the computer mouse. — Frank Cilluffo, Associate Vice-President for Homeland Security

SOBER is the latest name that is doing the rounds in computer security circles all over the world. Sweeping across different geographies, the worm is known to have affected at least a million e-mail messages in various countries including India, before it was brought under control.

As I write this, it is not known how `Sober' got into circulation. Major anti-virus companies were quick to act to arrest the spread of the worm.

But before emergency response teams in large corporations could act, their systems had been affected. The loss to companies and individuals is inestimable.

Whenever I hear of this kind of a virus attack, I get the creepy feeling that it is not the thoughtlessness or an act of mischief of a small-time programmer that we are dealing with here. This was the widespread impression in the US when a number of major States were wrecked by a power failure two years ago, although subsequent investigations did not confirm a terrorist hand.

I tend to look upon such occurrences as the handiwork of a terrorist or someone close to him trying to fathom cyberspace to check how well prepared all of us are, including governments, to meet a cyber attack. A sort of a rehearsal for the action to come!

I could be totally off the mark and may even be dismissed as being paranoid. This exactly would have been the reaction if anybody had conjectured the terrorist use of an aircraft to bring down the Twin Towers in New York on September 11, 2001.

Not many responsible for internal security in many countries are willing to concede that aggression through cyberspace has become greatly attractive, and that this would be preferred by terrorists to indulging in a physical onslaught such as setting off explosions.

A terrorist now needs limited resources and requires to know only the vulnerabilities of an enemy's computer systems.

Also, he need not undertake the kind of inter-continental travel that 9/11 called for, something that has become extremely difficult with newer and newer mechanics used to identify terrorists trying to enter another country.

This was broadly the theme of the keynote address of Roger Cressey, a former Chief of Staff to the US President's Critical Infrastructure Protection Board, at the recent InfoSec World conference in Orlando.

It is Cressey's assessment that software vulnerabilities are amazingly easy to detect, and this is one reason why it would be preposterous to think that attacks on critical infrastructure are a mere conjecture.

The non-reporting of any significant terrorist attack using computer skills has unfortunately led to dangerous complacence, and we need to pay more attention to the nuances of cyber terrorism.

As Cressey says, an attack on the Internet may not directly lead to a massive loss of lives. Also, cyber terrorism may aim only at bringing down governments or alter the nature of a political system.

We cannot ignore the fact that, in the process, it necessarily causes the maximum damage to the average law-abiding citizen by denying him basic services such as water and electric supply and critical care at a hospital. Disruption of air, train and banking services could be another consequence.

The impact of all this is one of chaos and unmitigated panic, elements antithetical to constitutional forms of governance.

There is here the danger of confusing the terrorist's sinister plans with `hacking', a mischief that is more often than not done out of a sense of adventure, and only occasionally to spite another individual or organisation.

In contrast, cyber terrorism is born out of a vindictive desire to spread fear and disorder in the community. Interestingly, till now, there have hardly been any reports of a collusion between hackers and terrorists or the latter infiltrating into hacker groups.

The general belief, according to a Congressional Research Service (CRS) report of April 2005, is that hackers are jealous of their knowledge and are extremely circumspect about sharing information on their sophisticated hacking tools with others who do not belong to their exclusive groups.

I wonder how long a terrorist inroad into such groups will remain solely a theoretical possibility. The lure of money and the intensity of religious bigotry can never be underestimated.

We cannot also ignore the bits and pieces of information trickling in that suggest that terrorist technical competence and ingenuity are growing.

Did you ever expect the use of a cell-phone to set off an explosion, as terrorists did in Madrid last year? In the days following 9/11, there were several reports pointing to Al Qaeda's use of computers for building their conspiracy, although there was no evidence that the group was thinking in terms of unleashing terror through cyber space.

Moving from a mere use of computers for exchanging information into acquiring mastery over programming is not exactly a far cry.

I can also recall how the dreaded Aum Shinrikyo cult in Japan, which was responsible for the lethal gas attack in Tokyo's subway in 1995, was said to have possessed some software skills.

Against this backdrop, the continued accent of the US and other Western nations on strengthening physical security by tightening immigration laws seems myopic.

There is everything that is happening around us, which would suggest that the average terrorist would rather switch over to cyber mechanics to inflict a toll on adversaries than risk the dangers involved in a frontal physical attack.

Can we do anything different from what we are now doing to protect our systems from the machinations of terrorists? Not really.

The classic vulnerabilities of systems are known, and the tools to plug them are available in wide variety. This is good as far as it goes.

The key, however, lies in the culture that prevails in organisations and individuals in whose custody systems have been entrusted.

If they are not charged with imagination, dedication and discipline, tools cannot take care of an increasingly ominous situation.

(The writer is a former CBI Director and currently Adviser to TCS Ltd.)

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
All for visibility

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line