According to cyber-security experts, the terror attacks of September 11 and July 7 could be seen as mere staging posts compared with the devastation that might be unleashed if terrorists turn their focus from the physical to the digital world.
Scott Borg, the director and chief economist of the US Cyber Consequences Unit, a Department of Homeland Security advisory group, believes attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people.
He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al Qaeda, he stresses, is becoming capable of carrying out such attacks.
Most companies and organisations seem oblivious to the threat. Usually, they worry about email viruses and low-grade hacker attacks. But Borg sees these as the least of their worries.
"Up to now, executives and network professionals have worried about what adolescents and petty criminals have been doing," he says.
"In most cases, these kinds of cyber attacks aren't very destructive. The reason is that businesses generally have enough inventory and extra capacity to make up for short-term interruptions."
What they should worry about, Borg insists, is "what grown-ups could do" - terrorists or hardcore criminals. One key target would probably be the vital Supervisory Control and Data Acquisition (Scada) systems in power plants and similar industries.
"Chatter on Scada attacks is increasing," says Borg, referring to patterns of behaviour that suggest that criminal gangs and militant groups are now fully capable of unleashing such attacks.
"Control systems are a particular worry, because these are the computer systems that manage physical processes. They open and shut the valves, adjust the temperatures, throw the switches, regulate the pressures," he says.
"Think of the control systems for chemical plants, railway lines, or manufacturing facilities. Shutting these systems down is a nuisance. Causing them to do the wrong thing at the wrong time is much worse."
Until now, hackers have usually targeted credit cards or personal information on the web. But more sophisticated hackers are beginning to focus on databases.
The type of data most likely to be hit, Borg says, might include a pharmaceutical company's drug development databases, or programs that manipulate data, such as formulas for generating financial statements.
"Many attacks of this kind would have two components. One would alter the process control system to produce a defective product.
"The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says.
"Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities.
"Yet it might take months before someone figured out what was going on." The result would be panic, people afraid to visit hospitals and health services facing huge lawsuits.
Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car-maker would collapse. "People would stop buying cars."
A few such attacks would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won.
Is Borg justified in his fears? All this sounds like a plot from a thriller. But intelligence reports make for worrying reading.
An assessment by the British security service MI5 stated that "Britain is four meals away from anarchy".
And officials admit their greatest fears about electronic attacks focus on the more exposed networks that make up the "critical national infrastructure" - the systems Borg is concerned about.
US agencies are concerned that terrorists could combine electronic and physical attacks to devastating effect, such as disrupting emergency services at the same time as mounting a bomb attack.
Risk management analysts, equally edgy, are focusing on the financial impact on businesses and economies. They believe an online attack would undermine public confidence in vital industries, especially utilities.
Nick Robson, a partner at JLT Risk Solutions, says: "A cyber attack on, say, the power industry would cause communications operations to close down for a period of time, expose customers to loss of service, increase liability exposure and ultimately damage reputation for service delivery."
While the case for cyber attack appears persuasive, some people believe much of it is hype.
"It's difficult to avoid comparisons with the Millennium bug and the predictions of widespread computer chaos arising from the change of date to the year 2000," says Tom Standage, technology editor at the Economist magazine.
"Then, as now, the alarm was sounded by technology vendors and consultants, who stood to gain from scaremongering."
But what of the Scada systems; surely they are highly vulnerable?
"It is true that utility companies and other operators of critical infrastructure are increasingly connected to the internet," Standage concedes.
"But just because customers pay their bills online, it doesn't follow that critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason."
But Richard Clarke, a former cyber-security expert in the Bush Administration, says: "People claim no one will ever die in a cyber-attack, but they're wrong. This is a serious threat."
He says that each time the US has tested the security of the electricity industry, he and his colleagues have been able to hack their way in, "sometimes through an obscure route like the billing system".
- INDEPENDENT
The enemy within: terror by computer
Interference with the control systems for chemical plants could be catastrophic. Picture / Reuters
AdvertisementAdvertise with NZME.
