News

USIS Washington File

04 November 1999

U.S. Corporations Warned of Cyber-Terrorism

(Greater security needed against electronic attacks) (680)
by Charlene Porter 
Washington File Staff Writer

The rapid growth of electronic communications as a primary tool in
international commerce is redefining how business is conducted. At the
same time, information security analysts say the expansion of
electronic commerce (e-commerce) has created a new vulnerability for
corporations and a new way for them to be victimized by terrorists.

Officials from the National Security Agency (NSA) and the U.S.
Department of State (DOS) briefed hundreds of representatives from
multi-national corporations and non-profit organizations November 3 in
Washington about the growing risks of terrorists who are not trying to
shed blood, but rather to wreak havoc with electronic records.

With the increasing use of the Internet in business operations, it
will not be long before, "more damage can be done with a keyboard than
with a car bomb," according to Nickolas Proctor, Executive Director of
the Overseas Security Advisory Council (OSAC). OSAC is an office
within the State Department devoted to fostering the exchange of
information on security issues between government, businesses and
other organizations operating internationally.

Assistant Secretary of State for Diplomatic Security David Carpenter
told the audience of business security specialists that they must
educate themselves about the mounting threats of cyber-crime. He said
terrorists are constantly devising new ways "to cripple business,
government, and infrastructure," and inventing new methods of
"creative destruction."

The U.S. government officials warned the corporate representatives
that in their rush to enter the world of e-commerce and to establish a
business profile on the Worldwide Web, they may have revealed
information about their companies that a would-be terrorist could use
to launch an attack. The security specialists from such major
companies as Eastman-Kodak, Bristol-Myers-Squibb, Lucent Technologies
and the New York Stock Exchange were urged to reexamine their Web
sites and ask themselves how a terrorist could exploit the information
posted there to raid corporate records or plot sabotage against
company facilities.

Michael Peters, the technical director for operations, readiness and
assessments at the NSA, described his successful efforts to expose
weaknesses in the security of U.S. government information systems. In
an exercise to test the vulnerability of systems within the Department
of Defense (DOD), Peters said a team of 20 government information
experts posed as adversaries attempting to break through DOD computer
security.

The role-playing terrorists set out to deny, disrupt, delay or change
critical DOD information, and to exploit any vulnerabilities. "The bad
guys won," Peters said. "We were able to cause serious problems for
DOD," in what was only an exercise, and he warned the business
executives that their companies were probably equally vulnerable.

The U.S. government security experts urged the corporate
representatives to exercise a higher level of vigilance to protect
their company's electronic records, but they also invited debate on
some of the unresolved legal questions that surround electronic
commerce.

John Nagengast, assistant deputy director of the NSA, said, "We really
need a national legal and policy framework," but that such a framework
does not yet exist. He also said business and government need to
collaborate to answer some of the questions about this new kind of
crime. For example: When does a cyberspace prank become a crime? When
does a computer hacker become a terrorist? Where do crimes occur in
cyberspace? What law enforcement entities have jurisdiction? What are
the appropriate penalties for cyber-crimes?

Because the technology is global, Nagengast said, international
consensus must be reached on the questions surrounding crime in
cyberspace, adding that security structures must be put in place on a
global level.

Nagengast also called for a fundamental change in how corporations
view security matters. He said security has long been considered only
a minor factor in a company's overall cost of doing business. In
today's world, however, he said, information security and vigilance
against potential attackers must become a high corporate priority.

(The Washington File is a product of the Office of International
Information Programs, U.S. Department of State.)