Cyber terrorism.

• Author: Keegan, Christopher
• Position: Security

The aftermath of 9/11 and increasing tensions in the Middle East and with Iraq have heightened the risk of cyber-terrorism, and companies need to review their security procedures and insurance coverage.

While property and casualty insurers wrestle with the risks of terrorism in the aftermath of September 11, terrorism coverage provided by ebusiness insurance policies hasn't changed: Most of these policies continue to cover cyber-terrorism. In addition, some insurers that had excluded cyber-terrorism now offer terrorism coverage for an added premium.

The underwriters' position stems from their difficulty identifying perpetrators of cyber-terror attacks and the fact that damages from cyber-terrorism resemble consequences of other types of hacking incidents or Internet attacks. Most insurers feel that defenses against attacks on systems by hackers are identical to those needed to limit attacks by terrorists.

At this point, there is anecdotal evidence of an increase in systems attacks stemming from the Middle East unrest and the U.S. operations in the war against terrorism. Surveys by a leading information security company of attacks on information systems before and after September 11 found the number of attacks rose precipitously within two weeks of the terrorist attacks as the war against terrorism took shape.

Assessing the Risk

Although it is not clear whether these incidents were directly related to the 9/11 attacks, the evidence indicates that terrorism could have raised the intensity of attacks on information technology. The perceived increase in exposure from terrorist attacks focusing on technology is also apparent in two published reports -- one published well before September 11 and one immediately after.

A 1999 report by the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School in Monterey, Calif., concluded the barrier to entry for anything beyond annoying hacks by terrorists is high. Terrorists, the authors thought, generally lacked the wherewithal and human capital needed to mount a meaningful operation. They saw cyber-terrorism as a phenomenon of the future.

The Monterey study estimated that it would take a group starting from scratch two to four years to reach an advanced level and 6-10 years to reach the level where the most serious potential damage could be done -- although some groups might get to that level in a few years or turn to outsourcing or sponsorship to extend their capability.

The authors determined that only religious groups are likely to seek the most damaging capability level, consistent with their indiscriminate application of violence. On the other hand, they concluded that single-issue terrorists pose the most immediate threat because they're likely to accept disruption as a substitute for destruction.

A subsequent Dartmouth College report, published Sept. 22, 2001, provided evidence...