Cyber security moves up the terrorism agenda

Terrorism is changing. Forty years ago, Germany’s Red Army Faction, or Baader-Meinhoff Group, launched arson attacks on department stores, murdered industrialists and robbed banks as part of their anti-capitalist assault on the West.

Many of today’s extremists are just as intent on causing headline grabbing death and destruction – but they also see the potential of the internet as a tool to disrupt the world of commerce and to finance their activities.

Western governments recognise the threat and are taking action. In the UK, the Government has published a cyber security policy as part of its updated National Security Strategy.

A dedicated Office of Cyber Security in the Cabinet Office will coordinate policy across government and look at legal and ethical issues as well as relations with other countries.

The initiative encompasses protecting businesses and individuals from fraud, identity theft and e-crime.

Launching the strategy, security minister Lord West warned that future targets could include key businesses, the national power grid, financial markets and Whitehall departments. 

 He told the BBC: “We know terrorists use the internet for radicalisation… but there is a fear they will move down the path of cyber attacks… As their ability to use the web and the net grows, there will be more opportunity for these attacks.”

US plans cyber tsar

Meanwhile, US President Barack Obama has announced plans for a cyber security office in the White House. He said that America’s digital infrastructure should be treated as a strategic national asset from now on and that he planned to appoint a cyber tsar.

Acts of terror today, he said, could come “not only from a few extremists in suicide vests, but from a few key strokes of a computer—a weapon of mass disruption”.
 
Commenting on the news in the UK, Andrew Swan, associate director at Lloyd’s broker Aon, said that he was encouraged that the UK government had recognised the threat of cyber terrorism.

“The government needs to support UK business by cascading advice on how to secure systems against such attacks and acting as an extension to IT functions by challenging current security measures and back up systems,” he said.

Swan told Lloyd’s 360 that the cyber terrorism threat is varied and hard to identify.
 
“The concept is one of state sponsored or fringe groups targeting other countries’ infrastructure or singular organisations by overloading their systems with information causing them to grind to a halt, or by introducing viruses most commonly via Trojans,” Swan said.

Source of exposures

Cyberspace is a growing source of exposures for companies and governmental institutions and that includes cyber terrorism and cyber extortion, says Paul Bantick professional liability underwriter at Lloyd’s insurer Beazley.

“Contrary to popular belief, the people involved are not eccentric individuals but are more likely highly motivated, sophisticated and organised groups—whether criminal or political,” he says.

Beth Diamond, claims manager at Beazley, says that financially motivated cyber attacks have been traced to Eastern Europe; and she says that the politically motivated threat posed by North Korea to disable networks in the West is well documented.

“But domestic threats exist too and could be more of a danger.  Young, smart, tech-savvy groups could use cyberspace to make a political statement,” she warns.

“These people could, for example, be local anti-capitalist groups targeting a financial institution or single issue extremists targeting a life sciences company.”

NATO’s response

Bernard Roussely, who is chief of the information assurance team (NC3A) at NATO, says organisations should put in place several lines of defence and not rely on a single IT solution.

Mr Roussely’s team is responsible for building up NATO’s cyber defences, but it can provide technical support and advice on request from member nations.

He advises organisations to consider both their technical and human vulnerabilities. Staff should be made aware of IT security issues and the procedures they must follow to mitigate them.

To defend against insider attackers, make sure that employees only have the access privileges they need, for example, he advises. Regular IT audits, although expensive, can be used to flag up any anomalies.

New ways of working could increase an organisation’s vulnerability to a breach by outsiders too. Employees increasingly have remote access to a company’s network, either from home or while traveling.

A weakness in security could create an opportunity for someone trying to get in.

Business continuity plan

But it is crucial for organisations to recognize that they cannot cover every vulnerability, Roussely says: “So they must put in place a business continuity plan that can be activated when they suffer an attack.
 
The plan must be kept up to date and it must be tested regularly by simulating an incident.”

Some business sectors are ahead of others in their preparedness, according to Beazley’s Paul Bantick, and that includes buying insurance.

“We find that financial institutions and life science companies in particular are very concerned about data breaches and the loss of confidential data,” he says.

“At the same time, these clients are concerned about cyber extortion, linked to activism, and our [insurance] coverage responds to that.”