The Blending of Physical and Information Security Threats

The coming wave of security threats will increasingly be blended with physical and information components. CSOs who want to prepare for these attacks will have to meld their defenses to meet the challenge.

The threat of a blended attack is one that the intelligence community takes very seriously. Harold Hendershot, section chief of the computer intrusion section of the FBI's cyberdivision, characterizes the prospect of such an attack as a force multiplier.

"Imagine if the 9/11 attacks had been coupled with a denial-of-service attack on telephones in Washington, D.C., or New York," he says. "It's a force multiplier because it increases the perception of damage. [Terrorists] can inflict a lot of physical damage, but if the government is suddenly silent or slow to respond, it creates psychological damage."

Most experts agree that while terrorism groups have indicated an interest in using IT attacks to undermine critical infrastructure (and are using the Internet extensively as a communication medium by burying messages in spam), they haven't matched up the intent with the capability yet. But it's likely not too far away.

"These are educated, smart, well-funded and reasonably motivated individuals, and there's a lot they can do," says Bill Hancock, CSO of telecommunications company Cable & Wireless. "The entry point for cyberterrorism is different from [bioterrorism] where you have to pay people to develop things for you. The entry point for cyberterrorism is the cost of a PC."

Hancock asks his fellow CSOs to consider the panic that would ensue if a widespread cyberattack were to hit the financial community. Millions of people could lose their life's savings. "What is money, after all, but an entry in a database?" he says.

Of course, "bombs have a better byline" than a computer attack, notes Hendershot grimly, but high-concept attacks such as walking into a stadium event with a bomb is getting harder to pull off. The prospect of tying a lower-grade kinetic event with a cyber component that might delay first-responders or cause additional chaos is likely to be more attractive to terrorists as a way to increase the event's efficacy.

"If you're looking at convergence as the possibility to launch a coordinated attack physically and virtually, I think that we'll see the effect of that fear in the next five years," says Dario Forte, security adviser to the European Electronic Crimes Task Force. "But if you are looking at this phenomenon for a cyberevent like the Blaster worm to have an impact on physical security, I think we'll see that in the next two years."

In fact, in September the State Department had to temporarily shut down its electronic CLASS system (the Consular Lookout and Support System), which checks visa applicants for terrorist or criminal histories because of an infestation of the Welchia virus. Forte predicts that those kinds of incidents are only going to increase in frequency.