Is cyberterrorism real? Should corporate IT be worried about it? A few weeks ago, I would have answered no to both questions. I would have argued that labeling any computer attack as "terrorism" is a grotesque exaggeration. I would have cited renowned security expert Bruce Schneier, CTO at Counterpane Internet Security Inc., who contends that genuine cyberterrorism is still decades away.
"A network going down is not terrorism. Everyone who watched on Sept. 11 knows what terrorism looks like," Schneier said in an interview with Computerworld Canada last month. "I would define cyberterrorism as using a computer to make planes fall out of the sky or buildings collapse."
But then we published an interview with Sheikh Omar Bakri Muhammad, a London-based Islamic cleric who is directly linked to Osama bin Laden and the al-Qaeda terrorist organization. He talked about how al-Qaeda is actively planning to use the Internet for cyberattacks against U.S. companies. Several intelligence and security experts said those threats should be taken seriously -- certainly as seriously as we take other computer crimes.
"This should put to rest any notion that terrorists who are willing to blow themselves up aren't thinking about more sophisticated attacks," said reporter Dan Verton, who interviewed Bakri by phone in the course of researching a book on homeland security and cyberterrorism. Verton is also moderating a cyberterrorism forum on Computerworld.com this week. "Americans in general have a tough time understanding radical groups and an even harder time coping with our own vulnerability," he added. "But we need to be aware of this type of thing."
Critics of our stories disagreed, however. They vehemently objected to us providing a known terrorist supporter with any platform whatsoever from which to threaten Americans.
"This story is not newsworthy and your repeated hawking of it amounts to nothing more than fear-mongering," one wrote. An Israeli reader said that merely publishing the intentions of terrorists achieves "80 percent of their goal." Another scoffed that "any cyberattack by al-Qaeda is going to be insignificant compared to the destructive efforts of millions of bored teenagers with readily available hacking tools."
I understand these objections and respect the emotions behind them, but I still believe that publishing such information is more useful than ignoring it. While our stories sparked angry reactions from a handful of readers, they also generated huge spikes in our Web traffic each time one was posted. One of the postings in our online forum raised that reality-check question again: "As IT-oriented professionals, most of us are quite aware of how much damage can be done by worms or hackers, but how much do these affect the ëreal' world?"
That's a very difficult question to answer. Surveys of CIOs and IT managers across a wide swath of U.S. industries continually show a worrisome lack of confidence in existing computer security practices. A CIA analysis paper recently sent to a U.S. Senate committee raised this red flag: "Cyberwarfare attacks against our critical infrastructure systems will become an increasingly viable option for terrorists as they become more familiar with these targets and the technologies required to attack them."
In the end, it hardly matters which "cyber" label we use -- cyberterrorism, cyberwarfare, cybercrime or cyberattacks -- as long as we pay attention to these early warning signs. We know terrorist groups are focused on building IT skills and investing in computer science education for their followers. We hope they'll never launch a successful cyberattack, but they'll certainly try.