The recent events in London and continued threats by al-Qaida should cause information security practitioners to stop and think a bit. Although there hasn't been a documented, declared case of cyberterror of which I am aware, there have been several events that might cause one to classify them as acts of terror, such as large-scale worm attacks.
These attacks were targeting non-combatants, in the military sense anyway, and they were certainly intended to intimidate. So why weren't they considered terrorist acts? Simply, they were terror, if not exactly terrorist, events. They met every definition of terrorism you can find. But given the relatively weak outcome of most of these events, at least in the context of hard terror attacks, is the prospect of cyberterrorism worth being concerned about? The answer, very clearly, is yes. But not for the reasons you might think.
Just like some kinds of data (especially the kind we need to trace attacks), the remnants of cyberterror events are rather short-lived. If I launch a worm, at worst all I get is a temporary – two- or three-day – panic on the internet and within affected organizations. Usually nobody dies, money normally is not permanently lost, businesses rarely go broke. But what if a cyber event was combined with a physical terror event?
It would then be what we refer to as an amplifier. The intent in that case is to increase the potency of the physical terror attack by adding markedly to the chaos surrounding it.
People will die, more money is lost, and the population sees the event for what it is – a terrorist attack, not just a virus.
The subtleties of a worm infestation are gone. CNN now has a story that lasts for days or even weeks with its own logo and theme music. The cyber event gets lost in the blood, flames and bodies of the hard attack, but its contribution has made the hard attack 100 percent worse.
Interestingly, if the cyber element fails, those combating the hard attack have an easier time, because everything operated by computers works. There is no additional computer-generated chaos and fewer people die, less money is lost, and so on.
So the bottom line is that cyberterrorism is very real, and we as security professionals can help fight the war on terror simply by hardening our systems, educating our users and managing our management. It's really that simple.