Combating Cyber-Terrorism and Cyber-Crime
Dave Carlson - February 26, 2008
This article discusses cyber-terrorism and cyber-crime followed by recommendations about how to eliminate or reduce the threat posed by these nefarious activities. Included in the recommendations is a discussion of actions an information manager may take when a perceived threat becomes an actual attack. There is a high probability that sophisticated digital attack capabilities may be transferred to terrorists by state sponsorships and purchase from criminal elements. The goals of the Department of Homeland Security form the basis for actions to protect strategic national infrastructure and establish a framework on which to hang actions to protect critical business information system infrastructures. Poor information security puts an organization at risk and may create a platform from which others may be attacked.
Combating Cyber-Terrorism and Cyber-Crime
The United States formally recognized the possibility of cyber attack and information warfare in the mid-1980s (Cordesman, 2002). In 1996 the United States Armed Forces embraced the term cyber-terrorism, coined by combining the terms cyberspace and terrorism (Janczewski & Colarik, 2005). Two years later the Center for Strategic and International Studies generated a report entitled, Cybercrime, Cyberterrorism, Cyberwarfare, Averting and Electronic Waterloo (Janczewski & Colarik, 2005). In that report, the Center defined cyber-terrorism as: “Premeditated, politically motivated attacks by sub-national groups, clandestine agents, or individuals against information and computer systems, computer programs, and data that result in violence against noncombatant targets” (Janczewski & Colarik, 2005, p. 43).
Andert (2005) observed that some experts taught that the term cyber-terrorism is a misnomer. These experts argued that terrorism is in a class of crime so grievous that computer-related offenses should not be included in this nefarious crime category. “The broad definition of cyber-terrorism is any kind of computer attacks against critical infrastructures, which does not differ from the definition of computer crime” (Janczewski & Colarik, 2007, p. 140). For the purposes of this paper, the terms cyber-terrorism and cyber-crime will be used interchangeably. Even thought there is an academic difference between the terms, this paper will discuss the effects of cyber-terrorism and cyber-crime threats to organizations and not address the political impacts of terrorist activities against critical information infrastructures.
This paper will discuss background and current information related to cyber-terrorism and cyber-crime, followed by recommendations about how to eliminate or reduce the threat posed by those activities. Included in the recommendations section will be a discussion of actions an information manager may take in the increasingly-common event where a perceived threat becomes an actual cyber attack. The focus will be more about management issues related to what a manager should do, rather than on the technical side of how to implement the suggestions, since every organization has unique information system configurations and requirements. It is the responsibility of an organization’s information manager to make the appropriate determination about the actions to take to protect a specific organization. The final section of this paper will present the author’s conclusion.
As societies moved from the industrial age to the information age, particularly in western civilizations, daily operations of almost all organizations developed a great deal of reliance on information system infrastructures for communicating, coordinating, and disseminating daily operational information to all levels of the organization (Colarik, 2006). Economic and political enemies, along with criminals and hackers, have kept pace with technological advancements to disrupt information infrastructures; in many cases these disruptions have exceeded the ability of an organization to protect or recover. Colarik (2006) maintained that information infrastructures are emerging as “the next battleground for the so-called War on Terror, and terrorist alike” (p. 12). Rival countries and organized criminal syndicates have developed sophisticated information warfare capabilities. There is a high probability that these sophisticated digital attack capabilities may be transferred to terrorists by open or covert state sponsorships and clandestine purchase from criminal elements (Colarik, 2006).
A major power outage simultaneously hit dozens of cities in the United States and Canada the afternoon of August 14, 2003. Within a span of only three minutes, a cascade effect in the power grid caused at least twenty-one power plants to shut down, depriving more than 1.2 million people of electricity (CNN, 2003). Some people reacted to the power outage with annoyance while others panicked. An initial outcry of terrorism in some areas turned out to be unsubstantiated, but the incident reinforced the fact that “a major terrorist assault with severe real world consequences could be launched against the computer systems that control the infrastructures on which everyone depends” (Andert, 2005, p. 161).
The September 11, 2003 coordinated attacks on the United States destroyed important structures and took many lives. Those terrorist acts created a significant tragedy in world history, especially for the United States. However, Verton (2003) observed there is a concern greater than the loss of the buildings.
As important as the buildings attacked on that day were—both in terms of the lives of the people who lived and worked in them and their value as symbols of economic and military power—the true underpinnings of their power lay beneath them: in hundreds of thousands of miles of coaxial and fiber optic cables and the computers they link together; in the electrical power grid that feeds and nourishes these computers; in the water supply that feeds both the hydroelectric plants and the people who operate the computers; in the bus, rail, truck, and highway systems that supply the parts for these infrastructures; in the telecommunications networks that allow these computers to communicate with each other and allow people to go about their daily lives; and in the financial systems of banks, insurance companies, brokerages, and other financial institutions that fund and insure these technologies and depend on them in turn for their own lifeblood. (p. vii)
Unseen critical infrastructure facilities and the information systems they support should be a top priority for every organization, both for the preservation of the organization and for the preservation of the society in which that organization functions. The next section of this paper will discuss threats to information infrastructures.
There exist many threats to information infrastructures. An Information Technology manager must be aware of and deal with threats from both inside and outside the organization. Overlooking what appear to be insignificant threats can lead to dire consequences. Benjamin Franklin had no idea that many of his teachings would still be timely in today’s world when he penned the following words: “sometimes a little neglect may breed great mischief” (Franklin, 1733, p. 50). He expanded on that point by adding “for want of a nail, the shoe was lost; for want of a shoe the horse was lost; and for want of a horse the rider was lost, being overtaken and slain by the enemy, all for want of care about a horse-shoe nail” (Franklin, 1733, p. 50).
In 1959 a business books editor from Prentice-Hall penned the words, “I have traveled the length and breadth of this country and talked with the best of people, and I can assure you that data processing is a fad that won’t last out the year” (Piercy, 2002, p. 372). Nearly 50 years later the data processing fad identified by the editor is still with us. Data processing and information sustains or defines most organizations in today’s world. The data processed by these information systems must be protected from unauthorized access. “Security measures must prevent unauthorized persons from reading sensitive data from a computer screen, from intercepting spoken messages, from tapping telephone lines, or similar acts” (Janczewski & Colarik, 2005, p. 62).
Bidgoli (2005) acknowledged there were significant threats to consider. He proposed that the greatest amount of effort toward information security should be focused not on the external threat from terrorist organizations, but on the internal threat of disgruntled employees. Consider the standard risk management formula,
RISK = f (threat x vulnerability x likelihood x impact).
Security data indicates that a disgruntled employee “is by far the most likely threat and historically has had the biggest impact” (Bidgoli, 2005, p. 10). Because employees may access sensitive systems on a regular basis, the systems are more vulnerable to disgruntled insiders. Additionally, an insider would have the knowledge to create the greatest negative impact on the organization.
“Perhaps the most important factor in building a good information security system is a supporting attitude from top management” (Janczewski & Colarik, 2005, p. 14). Tipton and Krause (2004) suggested that the best way to teach and motivate organization leaders to support information security is to show how security procedures and policies “support primary business objectives and meet regulatory compliance; they cannot be an afterthought or superfluous” (p. 270). Suggested themes for developing organizational leadership training are:
- Comply with applicable laws and regulations.
- Demonstrate due diligence.
- Help prevent loss and thus increase profit.
- Protect the organization from liabilities related to security negligence.
- Enhance and/or support customer and public reputation. (Tipton & Krause, 2004, p. 270)
Three major external threats to information systems are unauthorized physical entry, unauthorized electronic entry, and loss of equipment through theft, loss, or destruction (Janczewski & Colarik, 2005). The primary concern for information security is to prevent unauthorized persons from wandering around the company premises (Janczewski & Colarik, 2005). Physical security and access controls are effective ways to help protect company data and information systems. Janczewski and Colarik (2005) cautioned against implementing excessive protection measures. Security controls need to be proportional, nonintrusive, and in line with overall company business policy.
“Among the most significant computer risks in today’s business environment is the ever-increasing use of laptop computers, notebooks, PDAs, and other portable devices” (Wilding, 2006, p. 131). The cost to purchase portable computing equipment has fallen significantly over the years, but its actual business value has increased. Compelling evidence revealed that the contents of a portable electronic device may be of far greater business value than the device’s replacement price (Wilding, 2006).
A cyber attack may not directly affect an organization, but the organization may become an unwilling and unknowing accomplice to terrorist activity. Weimann (2006) documented instances where terrorists hacked into an organization’s Web site and posted information that aided their “communication, propaganda, marketing, and fund-raising” efforts (p. 50). Most terrorist groups avoid violent references on their own Web sites, preferring to post their hate messages on the Web site of an unwitting organization (Weimann, 2006). Imagine the negative public image an organization would be forced to address if a reporter discovered and published information about a terrorist handbook available for download from the organization’s Web site.
Corporations and businesses own and operate some of the largest computer network systems known. These users must maintain a high degree of awareness and be ready for the worst. A company that does not mind its own security is not only putting itself at risk, but offers itself unintentionally as a platform from which others may be attacked. (Andert, 2005)
The goals of the U.S. Department of Homeland Security (DHS) form the basis for actions to protect strategic national infrastructure (Ridge, 2004). Even though DHS reports to the American public and focuses its efforts on the good of the entire nation, their goals establish a responsible framework on which to hang actions to protect critical business information system infrastructures. Following the lead of the Department of Homeland Security, a public or private organization must have the appropriate level of awareness, prevention, protection, response, recovery, service, and organizational excellence .
Identify and understand threats, assess vulnerabilities, determine potential impacts and disseminate timely information to business partners, stockholders, and employees (Ridge, 2004). “Finding out that a cyber crime has happened and actually doing anything about it is no simple process” (Colarik, 2006, p. 44). An effective Business Impact Analysis (see Appendix B) provides a best-practice tool an organization can use to develop an appropriate organizational awareness to help protect against cyber attacks. A Business Impact Analysis provides a foundation for information risk management, “the most significant part of building an overall protection plan for a business” (Janczewski & Colarik, 2005, p. 48).
Verton (2003) proposed that increased awareness of threats would create a deterrent to reduce an organization’s vulnerability to cyber attack. Just as cockroaches scurry for cover when they are revealed by a bright light, awareness can cause cyber terrorists to withdraw a plan to attack an aware organization when confronted with the light of discovery. Everyone related to an organization must be aware of their role related to information security. Wulgaert (2005) emphasized that two groups of people need to be aware of security concerns: 1) “every member of an organization, from the mailroom staff to the CEO” and 2) “every other individual that potentially has access to the organization’s information” (p. 10). Information security awareness includes not only all members of an organization, but also anyone who (physically or digitally) accesses the organization’s information systems.
Detect, deter, and mitigate threats to the organization (Ridge, 2004). Janczewski and Colarik (2005) insisted that the best way to prevent security problems is to develop and enforce an effective information security policy; one that is “driven by the company’s mission statement” (p. 201). Management must identify threats and establish policies to mitigate threats to the organization (Janczewski & Colarik, 2005).
Safeguard employees, critical information infrastructure, property, and the economic well-being of the organization from acts of terrorism, natural disasters, or other emergencies (Ridge 2004). Janczewski and Colarik (2005) suggested the following three general areas to consider for stopping or reducing the impact of a cyber attack:
- Physical security. Deny unauthorized access to physical facilities and equipment.
- Access control. Deny unauthorized access to digital systems.
- Personnel security. Deny unauthorized access to employment opportunities.
The most important rule related to information security is to prevent unauthorized people from wandering around the company premises (Janczewski & Colarik, 2005). Physical security and access control are effective ways to help reduce the risk of physical and cyber attack. To retain their effectiveness, security and control systems must be consistent and applicable to everyone in the organization.
Lead, manage, and coordinate the organization’s response to acts of terrorism, natural disasters, or other emergencies (Ridge, 2004). In her Knowledge is Power book, Mazer (2004) taught sixth graders that the best way to prepare for school and to respond to unexpected and new events was to be prepared. Many of the principles that were true in the sixth grade still are true in today’s business environment. Understanding the threats and knowing how to respond contribute significantly to successfully dealing with emergencies.
Lead the organization’s efforts to restore services and rebuild business relationships after acts of terrorism, natural disasters, or other emergencies (Ridge, 2004). An organization must have a business continuity plan in place before disaster strikes; after-the-fact usually is too late to plan for recovery. Wallace and Webber (2004) observed that few business managers question the need for insurance, but it is an unfortunate fact that many organizations fail to consider a business continuity plan as valuable protection against disasters.
Serve the organization effectively by facilitating lawful trade, business interaction, and employment practices (Ridge, 2004). Directly related to information security are employment practices. Janczewski and Colarik (2005) argued that “the importance of security issues relating to personnel policies has and continues to be a factor in the overall protection of organizational systems” (p. 163).
Ensuring employees are investigated prior to employment and trained during employment will help create an appropriate security environment (Janczewski & Colarik, 2005).
Value the organization’s most important resource, its people. Create a culture that promotes a common identity, innovation, mutual respect, accountability, and teamwork to achieve efficiencies, effectiveness, and operational synergies (Ridge, 2004). It is important to ensure all members of the organization are aware of security concerns, since “the best protection mechanisms within an organization are its employees” (Janczewski & Colarik, 2005, p. 127).
Even though there is an academic difference between cyber-terrorism and cyber-crime, the devastating effects of an attack to an organization are the same. The greatest threat to information systems is from within. Following the lead of the Department of Homeland Security, an organization must have the appropriate level of awareness, prevention, protection, response, recovery, service, and organizational excellence. Because of the reliance upon information systems in today’s world, managers and employees at all levels must do their part to be aware of the threats and know how to respond to various emergencies, so the organization can survive.
Andert, S. (2005). Web stalkers: Protecting yourself from Internet criminals & psychopaths. Kittrell, NC: Rampant Tech Press.
Bidgoli, H. (2006). Handbook of information security. Hoboken, NJ: Wiley.
CNN. (2003). Major power outage hits New York, other large cities. Retrieved February 25, 2008 from http://www.cnn.com/2003/US/08/14/power.outage/
Colarik, A. M. (2006). Cyber terrorism: Political and economic implications. Hershey, PA: Idea Group Publishing.
Cordesman, A. H. (2002). Cyber-Threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Praeger.
Franklin, B. (1733). Poor Richard’s almanac. [Electronic version]. Retrieved February 25, 2008 from http://www.antiquebooks.net/cgi-bin/wordpage?book=7&ss=nail
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Janczewski, L. J. and Colarik, A. M. (Eds.). (2007). Cyber warfare and cyber terrorism. Hershey, PA: Idea Group Publishing.
Mazer, A. (2004). Knowledge is power. New York: Scholastic.
Piercy, N. F. (2002). Market-led strategic change: A guide to transforming the process of going to market. Woburn, MA: Butterworth-Heinemann.
Ridge, T. (2004). Securing our homeland: U.S. Department of Homeland Security strategic plan. [Electronic version]. Retrieved February 25, 2008 from http://www.dhs.gov/xlibrary/assets/DHS_StratPlan_FINAL_spread.pdf
Tipton, H. F. and Krause, M. (2004). Information security management handbook. Boca Raton, FL: CRC Press.
Verton, D. (2003). Black ice: The invisible threat of cyber-terrorism. New York: McGraw-Hill.
Wallace, M. and Webber, L. (2004). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets. New York: AMACOM.
Weimann, G. (2006). Terror on the Internet: The new arena, the new challenges. Washington, DC: United States Institute of Peace.
Wilding, E. (2006). Information risk and security: Preventing and investigating workplace computer crime. Hampshire, UK: Gower Publishing.
Wulgaert, T. (2005). Security awareness: Best practices to secure your enterprise. Rolling Meadows, IL: ISACA.
Yelland, L. (Ed.). (2007). Generally accepted business continuity practices: A look at business continuity best practices. A joint project of Disaster Recovery Journal and Disaster Recovery Institute International. Retrieved February 18, 2008 from http://www.drj.com/GAP/