Cyber terrorism. (Security).The aftermath of 9/11 and increasing tensions in the Middle East and with Iraq have heightened the risk of cyber-terrorism, and companies need to review their security procedures and insurance coverage.
While property and casualty insurers wrestle with the risks of terrorism in the aftermath of September 11, terrorism coverage provided by ebusiness insurance policies hasn't changed: Most of these policies continue to cover cyber-terrorism. In addition, some insurers that had excluded cyber-terrorism now offer terrorism coverage for an added premium.
The underwriters' position stems from their difficulty identifying perpetrators of cyber-terror attacks and the fact that damages from cyber-terrorism resemble consequences of other types of hacking incidents or Internet attacks. Most insurers feel that defenses against attacks on systems by hackers are identical to those needed to limit attacks by terrorists.
At this point, there is anecdotal evidence anecdotal evidence,
n information obtained from personal accounts, examples, and observations. Usually not considered scientifically valid but may indicate areas for further investigation and research. of an increase in systems attacks stemming from the Middle East unrest and the U.S. operations in the war against terrorism. Surveys by a leading information security company of attacks on information systems before and after September 11 found the number of attacks rose precipitously within two weeks of the terrorist attacks as the war against terrorism took shape.
Assessing the Risk
Although it is not clear whether these incidents were directly related to the 9/11 attacks, the evidence indicates that terrorism could have raised the intensity of attacks on information technology. The perceived increase in exposure from terrorist attacks focusing on technology is also apparent in two published reports -- one published well before September 11 and one immediately after.
A 1999 report by the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School The Naval Postgraduate School is a graduate school operated by the United States Navy. Located in Monterey, California, it grants primarily master's degrees plus some doctoral degrees to its students, who are mostly active duty officers from U.S. and foreign military services. in Monterey, Calif., concluded the barrier to entry for anything beyond annoying hacks by terrorists is high. Terrorists, the authors thought, generally lacked the wherewithal where·with·al
The necessary means, especially financial means: didn't have the wherewithal to survive an economic downturn.
Wherewith. and human capital needed to mount a meaningful operation. They saw cyber-terrorism as a phenomenon of the future.
The Monterey study estimated that it would take a group starting from scratch two to four years to reach an advanced level and 6-10 years to reach the level where the most serious potential damage could be done -- although some groups might get to that level in a few years or turn to outsourcing or sponsorship to extend their capability.
The authors determined that only religious groups are likely to seek the most damaging capability level, consistent with their indiscriminate application of violence. On the other hand, they concluded that single-issue terrorists pose the most immediate threat because they're likely to accept disruption as a substitute for destruction.
A subsequent Dartmouth College Dartmouth College, at Hanover, N.H.; coeducational; chartered 1769, opened 1770, the ninth colonial college (see Wheelock, Eleazar). Originally a men's college, Dartmouth began admitting women in 1972. report, published Sept. 22, 2001, provided evidence that cyber-terrorists pose a significant threat now. It found that cyberattacks could escalate in response to U.S. and allied retaliatory re·tal·i·ate
v. re·tal·i·at·ed, re·tal·i·at·ing, re·tal·i·ates
To return like for like, especially evil for evil.
To pay back (an injury) in kind. measures against the terrorists responsible for the 9/11 attacks. The report found that politically motivated cyberattacks had escalated around the world, with an increase in number, scope and level of sophistication so·phis·ti·cate
v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates
1. To cause to become less natural, especially to make less naive and more worldly.
2. . Where earlier cyber-attacks were relatively benign, the more recent attacks targeted vital communications and critical infrastructure systems. Notably, the report showed that terrorists are increasingly involved in targeting information technology infrastructure.
Evidence of cyber-terror activities was found in several areas:
* The Pakistan-India conflict. Indian Internet sites defaced de·face
tr.v. de·faced, de·fac·ing, de·fac·es
1. To mar or spoil the appearance or surface of; disfigure.
2. To impair the usefulness, value, or influence of.
3. by Pakistani hacker groups Hacker groups began to flourish in the early 1980s, with the advent of the home computer. Prior to that, the term hacker was simply a referral to any computer hobbyist. The hacker groups were out to make names for themselves, and were often spurred on by their own press. have been political, highly visible or involved in information dissemination. Examples include an Indian government site, television network, newspaper, science agency and an atomic research facility. In the latter incident, five megabytes of possibly sensitive nuclear research or other information was reportedly down-loaded. Pro-Pakistan defacements of Indian Web sites has risen dramatically, and one pro-Pakistan hacker group has targeted U.S. sites in the past, defacing those belonging to the Department of Energy and the U.S. Air Force.
* The Israel-Palestinian Conflict. In Israel, Palestinian cyber attackers have carried out significant Web site defacements, engineered coordinated distributed denial-of-service attacks and system penetrations, and utilized worms and Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
* U.S.-China spy plane incident. The mid-air collision A mid-air collision (MAC) is an aviation accident where two or more aircraft come into unplanned contact during flight. Due to the high velocities involved in modern aviation, this usually results in very severe damage (if not total destruction) of all aircraft involved. between a U.S. surveillance plane and a Chinese fighter aircraft fighter aircraft
Aircraft designed primarily to secure control of essential airspace by destroying enemy aircraft in combat. Designed for high speed and maneuverability, they are armed with weapons capable of striking other aircraft in flight. in April 2001 triggered an online campaign of mutual cyber-attacks and Web site defacements surrounding the political dispute between the two countries.
The report concluded that Iraq and Libya are among several countries thought to be developing information warfare Also called "cyberterrorism," it refers to creating havoc by disrupting the computers that manage stock exchanges, power grids, air traffic control and telecommunications. While the term often deals with attacks against a nation, it may also refer to attacks on organizations and the capabilities. In addition, perpetrators from countries not directly involved in the U.S.-led war on terrorism Terrorist acts and the threat of Terrorism have occupied the various law enforcement agencies in the U.S. government for many years. The Anti-Terrorism and Effective Death Penalty Act of 1996, as amended by the usa patriot act could launch cyber-attacks against U.S. systems under the guise of a country that is the focus of the war. Experts are particularly wary of these risks because it is relatively easy to disguise the origins of information attacks.
Hackers frequently launch distributed denial-of-service attacks against an array of targets, but the danger lies in a coordinated attack A carefully planned and executed offensive action in which the various elements of a command are employed in such a manner as to utilize their powers to the greatest advantage to the command as a whole. on significant national resources, such as communications, banking and other financial capabilities. Cyber-attacks against critical communication nodes could be particularly harmful during a crisis. Experts believe that router vulnerabilities could be used to gain control of a number of Internet backbone (communications, networking) Internet backbone - High-speed networks that carry Internet traffic.
These communications networks are provided by companies such as AT&T, GTE, IBM, MCI, Netcom, Sprint, UUNET and consist of high-speed links in the T1, T3, OC1 and OC3 ranges. routers.
A number of reports on national security have raised the specter of an unanticipated, massive cyber-related attack on critical infrastructures -- such as telecommunications, electrical power systems, gas and oil, banking and finance, transportation, water supply systems, government services and emergency services emergency services Emergency care '…services …necessary to prevent death or serious impairment of health and, because of the danger to life or health, require the use of the most accessible hospital available and equipped to furnish those services' -- that could disrupt core functions. The degree to which the infrastructures are dependent on information systems, and may be interrelated in·ter·re·late
tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates
To place in or come into mutual relationship.
in , is still not well understood.
The government's concern over the possibility of debilitating de·bil·i·tat·ing
Causing a loss of strength or energy.
Weakening, or reducing the strength of.
Mentioned in: Stress Reduction attacks led to the creation of the President's Critical Infrastructure Protection Department of Defense (DOD) program to identify and protect assets critical to the Defense Transportation System. Loss of a critical asset would result in failure to support the mission of a combatant commander. Board (CIPB CIPB Citizens for Independent Public Broadcasting
CIPB Critical Infrastructure Protection Board (NIPC)
CIPB Computer-Integriertes Private Banking
CIPB China International Poster Biennial
CIPB Canadian Initiative for the Prevention of Bullying ) in October 2001. It released a draft National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 on Sept. 18, 2002 with the aim of setting an agenda to "secure the information technology networks and systems that are necessary for the nation's economy and critical services to operate."
The CIPB team is evidently convinced that the threat to the nation's critical information infrastructure is immediate and real. The case for action is based upon several conclusions: past levels of cyber damage are not accurate indicators of the future; cyber incidents are increasing in number, sophistication, severity and cost; fixing vulnerabilities before threats emerge will reduce risk; and that everyone must act to secure their parts of cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. .
Surveys have shown that the costs associated with a severe computer attack are likely to be greater than the preemptive pre·emp·tive or pre-emp·tive
1. Of, relating to, or characteristic of preemption.
2. Having or granted by the right of preemption.
a. investment in a cyber-security program would have been. Designing strong security into the information systems architecture of an enterprise can reduce overall operational costs by enabling cost-saving processes such as remote access and customer or supply chain interactions that could not occur in networks lacking appropriate security.
The CIPB report contains a veiled threat that the government may move to regulate if the voluntary participation it is seeking from the private sector does not materialize and the health, safety or well-being of the American people An American people may be:
Once relevant security protections are in place, the CIPB recommends that organizations explore options for covering cyber-terror risk and the risk of systems and data vandalism through e-business insurance programs. Under e-business policies, breaches or failure of systems security trigger coverage for losses sustained directly by the insured or resulting in liability to third parties. Sometimes, the policies define "cyber-attack," "unauthorized access" or "unauthorized use" of systems.
Many e-business insurance policies specifically cover such events as denial-of-service attacks and malicious code attacks. Almost all focus on intentional acts of third parties that harm computer systems. Acts of cyber-terrorists will, in almost all cases, come within these "insuring agreement" definitions.
The CIPB report recommends that the responsibility for cyber-security be raised to the board level to oversee the sufficiency of cyber-security structure and controls. Standards for corporate directors and officers were being raised prior to the collapse of Enron Corp. and the revelations arising from WorldCom Inc. and other troubled companies. These recent events are likely to accelerate the process. Recent court cases in some states have implemented a higher standard of responsibility for boards for compliance with standards similar to those being recommended by the government for computer security.
Oversight duties can go beyond being reasonably informed, and may require a good-faith effort to assure that a corporation has adequate information and reporting systems. Failure to comply with the standards can potentially result in liability. The Business Judgment Rule defense -- which can exonerate directors when they rely on advice provided by company officials or other appropriate sources -- may be unavailable if a board fails to appropriately inform itself regarding the need for, and scope of, an information technology audit or implementation of best practices. The Business Judgement Rule defense is a rebuttable presumption A conclusion as to the existence or nonexistence of a fact that a judge or jury must draw when certain evidence has been introduced and admitted as true in a lawsuit but that can be contradicted by evidence to the contrary. that the board acted properly in making a decision.
The 9/11 attacks raised awareness about vulnerability to terrorism and brought into focus new risks to companies, reliance upon telecommunications and other grids, and new potential threats to the economy. Since each company has a different technology risk profile, board members need to understand these types of risks, help assess levels of protection and fulfill their compliance duties.
Best Practices for IT Security
Large businesses that could be at risk for terrorism should implement an education and compliance process overseen by a committee that includes the CFO See Chief Financial Officer. , risk manager, CIO CIO: see American Federation of Labor and Congress of Industrial Organizations.
(Chief Information Officer) The executive officer in charge of information processing in an organization. , the chief information security officer, auditing and key operations executives. The CIPB provides guidelines to facilitate the integrity, reliability, availability and confidentiality of the enterprise.
Best practices can now include an annual systems risk analysis and review of disaster recovery and business continuity plans, and an annual compliance assessment, including a review of the implementation of systems security policies and employee policies, as well as other security and operational activities.
Technical protections can include penetration testing, firewall rule base review, perimeter scanning, vulnerability analysis In information operations, a systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such and threat assessments. Given the reliance on vendors that run systems for companies, businesses should review third parties that operate or have access to critical IT systems. Companies following best practices in this area typically require contracts with parties that have access to organizational information or processing facilities and include security requirements to ensure compliance with the organization's security policies and standards.
Effective risk management in the technology arena calls for implementing a process to deal with day-to-day changes in risk and frequent attempts by perpetrators to outmaneuver out·ma·neu·ver
tr.v. out·ma·neu·vered, out·ma·neu·ver·ing, out·ma·neu·vers
1. To overcome (an opponent) by artful, clever maneuvering.
2. security. To win this battle, a company must identify and secure all of the key potential vulnerabilities. Keep in mind, a terrorist attacker may need to find and penetrate just one area of vulnerability to cause a potentially serious problem.
RELATED ARTICLE: Terms to Consider Including in Vender Contracts
1. A general policy on information security
2. Asset protection requirements, including controls to ensure the return or destruction of information
3. Integrity and availability requirements
4.. Complete description of services to be provided and verifiable performance criteria
5. Respective liabilities and responsibility for legal compliance
6. Technology insurance requirements
7. Intellectual property rights
8. The right to monitor, and revoke, user activity
9. The right to audit
10. Specification of physical and technical security standards
11. Communication procedures in time of emergency
12. A clear division of responsibility for system events and changes
Source. Marsh Inc.
Christopher Keegan is a vice president at Marsh inc. in New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of . He can be reached at 212.345.6072 or christo email@example.com.