Cyber Crime, Terror and Warfare - Expect the Unexpected
When talking and writing about security affairs, we tend to focus on Weapons of Mass Destruction and their delivery means, conventional threats, transnational terrorism, organized crime and drug issues – to name a view. We talk about future possible threats and challenges, but we neglect one existing threat and challenge: Cyber crime, terror and warfare.
There is an undeclared war by states, state-sponsored groups and private companies as well as infamous “hackers” that costs human lives and trillions of dollars per year. The Internet and the World Wide Web offer golden opportunities for espionage, theft, sabotage and paralysis of huge areas, as repeated virus attacks have proven.
Do we know where we stand? Do we have efficient firewalls to protect sensitive civilian and military areas? Are we protected against an “electronic Ebola” or an “electronic Pearl Harbor?”
I can remember that we avoided integrating cyber warfare into exercises because of the expected chaos. But what would happen if the highly sophisticated and highly vulnerable military C4 ISR system (Computer, Control, Command, Communication, Intelligence, Surveillance and Rescue) went crazy? What about “network centric warfare?” What about our communication and information systems based on vulnerable satellites?
What would happen if the software in nuclear power plants, traffic control or in our energy supply systems would get out of control or would be reprogrammed from outside? I am always shocked when I read reports of 16 year old hackers who succeed in penetrating sensitive systems. What would happen if a state or a criminal company would hire 20 hackers to do their job against specified targets and objectives? I think this is already being done today. The victims – like banks with their credit cards or with online banking -have no interest in informing the public.
What we occasionally read in the newspapers is in my view just the tip of a huge iceberg. The risks and challenges do not fade away if and when we turn a blind eye to them.
Therefore, in this newsletter we would like to focus on challenges in the non-military sphere and some protecting measures against them. But what is enough? Each person in charge of a company, a civilian or military organization should start now to fight against this threat that could kill his company or organization within seconds.
In this context, exercise "Cyber Storm" that was undertaken by the US Department of Homeland Security from February 6 - 10 is of remarkable significance. 115 agencies and organizations - private and state - were confronted with simulated attacks against their computer systems. Power grids and banking systems got a chance to check their protective systems. This exercise should be taken as a blueprint for more exercises in the state and private sector.
What should be done? The following are a few suggestions:
- Each and every leading figure should put this threat at the top of his personal agenda. Don't leave it to the specialists
- Increase the risk awareness of your people
- Invest more time and money in the training and qualification of your people
- Develop a handbook for your people on how to use the Internet correctly
- Practice realistic exercises within your organization
- Protect your archive and library
- Develop back-ups
- Go back to the old formula: “Need to know”
- Expect the unexpected