Cyber-terrorism: Reality or politics?
Cyber-terrorism is a term that has been thrown about on a regular basis since the Stuxnet worm infected and damaged Iranian centrifuges back in 2010, and research on the subject even dates back almost ten years earlier.
But beyond the Stuxnet and Shamoon (also known as Disttrack) incidents, examples are scare and subsequently some say that it's a topic that has been sensationalised by vendors, the media and the InfoSec community.
However, there's no getting away from the fact that it has been the big talking point in information security this week. It started with the head of the City of London police claiming that there's a “very strong likelihood” that Islamist terrorist groups - such as Isis - will launch a cyber-attack on financial institutions and ended with other experts later detailing how similar terrorist organisations could launch similar attacks against critical infrastructure and driverless cars.
Adrian Leppard, commissioner of the City force, told the Financial Times on Thursday: “There could be a very serious impact to the financial institutions of the world through a cyber-attack and I think it's a very strong likelihood that it will happen one day in the future, which is why we've got to push back and take action now before it happens.”
His comments – which came months after Benjamin Lawsky, head of the New York Department of Financial Services, warned of an “Armageddon-type cyber-event” – were criticised in some quarters.
Stephen Bonner, partner in KPMG's cyber-security practice, said in a statement that most of its financial clients were dealing with sophisticated cyber-crime and added that such cyber-terrorism claims were ‘the stuff of Hollywood'.
“Financial meltdown from cyber-attack currently remains the stuff of Hollywood, but we still need to think beyond current threats and look to a future which is likely to include more political extremism by increasingly cyber-savvy groups. Whether we choose to describe those attacks as terrorism, or not, is a political choice. The need for effective cyber-defences remains the same.”
This comment coincided with NATO carrying out a three-day cyber-security exercise in the city of Tartu, which is just outside the Russian border. Branded the group's biggest ever exercise, it focused on scenarios such as an insider attack and a coordinated assault on a surveillance plane.
Cyber-terrorism was also found in many other news outlets this week, with the IET warning about terrorists hacking the driverless cars expected to become commonplace in the next 15 years (published on The Telegraph), and other senior IT security pros spoke about the potential risks at a London conference.
Speaking at the Cyber Security Summit, Detective Superintendent Jayne Snelgrove, head of Metropolitan Police's Falcon group, said that cyber-enabled crime can only be used to make money ‘for terrorist purposes' while the National Grid CISO Graham Wright said that cyber-terrorism is one of the threats the organisation is concerned about.
But perhaps whether this talk of cyber-terrorism is reality or simply just as political leverage will come down to its definition, as outlined by cyber-security expert Edwin Covert earlier this year.
Citing Maura Conway's What is Cyber-terrorism? whitepaper from 2002, Covert wrote on Norse's website: “Simply “being” in cyberspace does not satisfy the definition of terrorism. It is necessary to denote the function cyberspace plays in the terrorist act in order to consider it cyber-terrorism.”
Hiring hackers: not the way to fill the skills gap
On Monday, KPMG released a surprising report which revealed the real problems UK businesses are having in terms of recruiting the right staff – in so far as almost half are considering hiring former hackers or those with a criminal record.
Surveying 300 senior IT and HR professionals in organisations employing 500 or more staff, the consultancy found that three in four of these (74 percent) believe that new cyber-challenges will require new skills, with 64 percent admitting that these skills are different to those offered by conventional IT.
Skills shortages were most keenly felt in data protection and privacy (70 percent of firms admit they lack expertise in these areas), while almost half (57 percent) admitting concern at holding onto those with specialised skills.
Most interestingly, 53 percent said that they would consider hiring a hacker (53 percent) or someone with a criminal record (52 percent) – something which did not go down well with leading experts.