Ever since September 2001, I’ve been asked by the media about the potential for terrorists to launch a devastating attack via the internet.
To be honest, it’s not something I’ve lost much sleep about.
Yes, a terrorist could launch a denial-of-service attack, or write a piece of malware, or hack into a sensitive system, just as easily as the next (non-terrorist), but there is no reason to believe that an attack launched by a terrorist living in his secret HQ in the mountain caves of Afghanistan would be any harder to stop than the hundreds of thousands of other attacks launched each day.
That’s not to say that launching an internet attack wouldn’t have attractive aspects for those behind a terror campaign. Put bluntly, it’s a heck lot easier (and less physically dangerous) to write a Trojan horse to infect a computer on the other side of the world, than to drive a lorry loaded up with Semtex outside a government building’s front door.
Furthermore, terrorists are often interested in making headlines, to focus the world’s attention on what they believe to be their plight. If innocent people die during a terrorist action that certainly does help you make the newspapers, but it’s very bad for public relations, and is going to make it a lot harder to convince others to sympathise with your campaign.
The good news about pretty much all internet attacks, of course, is that they don’t involve the loss of life. Any damage done is unlikely to leave individuals maimed or bleeding, but can still bloody the nose of a government that should have been better protected or potentially disrupt economies.
But still, such terrorist-initiated internet attacks should be no harder to protect against than the financially-motivated and hacktivist attacks that organisations defend themselves against every day.
So, when a journalist asks me if I think cyber terrorism is a big concern, I tend to shrug and say “Not that much” and ask them to consider why Al Qaeda, for instance, never bothered to launch a serious internet attack in the 13 years since September 11.
After all, if it is something for us all to fear – why wouldn’t they have done it already?
So, I was pleased to have my views supported last week – from a perhaps surprising source.
GCHQ, the UK intelligence agency which has become no stranger to controversy following the revelations of NSA whistleblower Edward Snowden, appears to agree that cyber terrorism is not a concern. Or at least that’s what they’re saying behind closed doors, according to SC Magazine.
The report quoted an unnamed GCHQ spokesperson at a CSARN (City Security And Resilience Networks) forum held last week in London, debunking the threat posed by cyber terrorists:
“Quite frankly we don’t see cyber terrorism. It hasn’t occurred…but we have to guard against it. For those of you thinking about strategic threats, terrorism is not [a concern] at this point in time,” although he added that the agency was ‘very concerned’ on a possible attack at the time of the 2012 London Olympics.
He said that while it is clear that terrorism groups – such as ISIS and Al-Qaeda – are technically-adept, there’s been no sign of them venturing to cyber beyond promotional purposes.
“For some reason, there doesn’t seem intent to use destructive cyber capability. It’s clearly a theoretical threat. We’ve not seen – and we were very worried around London Olympics – but we’ve never seen it. We’ll continue to keep an eye on it.”
In a time when the potential threat posed by terrorism is often used as an excuse for covert surveillance by intelligence agencies, such as GCHQ, and the UK government raising the “threat level” to “Severe” at the end of August due to conflict in Iraq and Syria, one has to wonder if the spokesperson quoted was speaking entirely “on-message.”
Perhaps it’s telling, therefore, that the article is no longer present on SC Magazine’s website.
Whether the spokesperson was toeing the official GCHQ company line or not, I think I agree with him. I would worry less about cyber terrorists if I was running IT security for an organisation, and be more concerned about conventional financially-motivated hackers and targeted threats.
Common targeted attacks
There’s nothing particularly sophisticated about how a typical targeted attack will infiltrate your system, but that doesn’t mean that it can’t severely compromise your systems.
The most common way in which a targeted attack will infiltrate your company is via a simple email attachment, where the attacker forges the email’s header to pretend to come from someone you know, a customer or a supplier to your company, and uses social engineering to lure you into opening the malware attached.
] Often times the email attachment will be ZIPped up with a password, in an attempt to avoid detection by gateway filters – and simply contain within the message body instructions on how the recipient can open the attached file.
Other times, the attackers may attempt to infect computers inside your organisation by not including a malware attachment in their email but instead including a link to a hacked website containing a zero-day vulnerability.
Alternatively, watering hole attacks exploit legitimate websites that have been booby-trapped to serve up malware to visiting users.
There are other methods, of course, but these three are probably the most commonly encountered, alongside the threat posed by rogue employees or contractors who might have access to your computer systems or premises.
Whether it is GCHQ’s official position that cyber terrorism is not a concern or not, is unclear. But I would suggest that you focus more on protecting your staff and your data from targeted and “traditional” attacks than losing too much sleep over terrorists launching an assault against you via the internet.