A debate is brewing over cyber terrorism, the idea that terrorists can mount an attack on computing systems that results in death and/or physical destruction. In the aftermath of September 11, the idea has, justifiably, received a great deal of attention. What worries me is that some don't seem to take the threat seriously.

I recently read a story focusing on the Massachusetts Water Resource Authority (MWRA), the agency that controls water for much of eastern Massachusetts. The piece described in some detail how the computers that control the flow of water are isolated from most any type of network connection that could even theoretically be exploited by a cyber intruder.

Further, the story explained that even if a hacker did penetrate its network, the MWRA has a multitude of checks in place to ensure that contaminated water never reaches a residential or commercial faucet.


Bully for the MWRA. No wonder it charges so much for its water.

The point the story was trying to make was that we shouldn't worry so much about a cyber attack that causes physical harm; there are stopgaps in place to prevent that. What we do need to worry about is cyber intruders going after valuable data.

No argument there; we do indeed need to protect data. But it's dangerous to suggest that there is no way for terrorists to use computers to inflict massive harm.

Two-Pronged Attack Feared

What has some experts most concerned is the threat of a cyber attack combined with a physical one.

One expert who has been studying the matter is Mark Fabro, president and chief scientist at Terrasec Corp., a security consulting firm in Toronto. Fabro, who is completing a master's degree program specializing in cyber terrorist threats, has been researching the feasibility of mapping elements of critical network infrastructure to physical structures.

For example, he says it might be possible to identify not only the principle components of the network that controls the national power grid, but also the physical location of those components. In that fashion, a cyber terrorist would know which network components to target in a cyber attack, as well as where on the earth they exist for a physical attack.

"That kind of information, combined together, could be used to devastate elements of the critical infrastructure," Fabro says. "That's pretty spooky."

Another form of coordinated attack may, for example, involve the corruption of financial data in conjunction with the destruction of one or more physical buildings. In that manner, a terrorist could destroy a company's primary financial database as well as the building that houses the backup database.

Web A Library For Terrorists?

There has also been much gnashing of teeth in Washington and elsewhere about whether information that is -- or was -- freely available on public Web sites could be of aid to terrorists looking to perpetrate such attacks. They range from reports of maps on government Web sites that show where plutonium and uranium are stored, to information on power plants and natural gas pipelines.

The National Infrastructure Protection Center, an umbrella organization charged with protecting critical U.S. infrastructure, in January issued a bulletin warning that a computer owned by an individual with ties to Osama bin Laden contained information about the structural engineering of dams and other water-retaining structures.

The bulletin said law enforcement agencies had "received indications" that other Al Qaeda members were interested in water supply and waste management practices and were culling information about insecticides and pest control practices from several Web sites. (See: http://www.nipc.gov/publications/infobulletins/2002/ib02-001.htm) The government is making a concerted effort to ensure that its own Web sites don't offer any asistance to terrorists. On March 19, the Bush administration went so far as to order all government agencies to remove from public view any information on "weapons of mass destruction, as well as other information that could be misused to harm the security of our nation and the safety of our people."

At the same time, the National Archives and Records Administration told agencies to hold off on declassifying a range of documents whose classfication has expired and to protect "sensitive information from inappropriate disclosure," an order that is open to much interpretation.

While such orders raise valid points about the public's right to access government information, it also highlights government concern over terrorists targeting critical infrastructures. Whether terrorists employ any form of cyber means to do it is, in the end, irrelevant. But to think they couldn't is folly.

Desmond is a writer and editor based in Framingham, Mass. He serves as editor of eSecurityPlanet.com, a source of practical security information for IT managers, CIOs and business executives. Email him at paul_desmond@king-content.com.