In my childhood, terrorists were people who hijacked planes. Now it seems more complicated.
The UK’s Chancellor George Osbourne issued a stark warning following the terrorist attacks in Paris this month. As security across Europe was ramped up in the form of armed police patrols and more stringent border checks, he told intelligence workers: "From our banks to our cars, our military to our schools, whatever is online is also a target. If our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost."
He added: "[Terrorist groups] do not yet have that capability. But we know they want it, and are doing their best to build it."
Terrorists are increasingly tech-savvy. One need only look to the likes of ISIS whose reach online goes beyond the borders of their so-called state. Their use of online recruitment is potent and powerful. They post slickly produced and graphic propaganda videos. They are social media experts with excellent skills and an understanding of psychological manipulation. They have the expertise to avoid detection by cyber-surveillance.
Their hacking skills are not so sophisticated. However, that’s not to say the threat they pose isn’t real, isn’t growing and isn’t maturing. The technological, ability and financial barriers to terrorists developing effective attacks are fast diminishing. If they don’t develop it in-house they will acquire it directly or indirectly.
ISIS’s online projection of strength appeals to young, computer-savvy foreigners, many of whom have decent IT skills that could be used for “hacking” with the right level of coaching and mentoring.
Former head of the ASIO, David Irvine said last month: "While terrorist organisations have not yet exhibited sophisticated cyber-attack capability, we must anticipate…that they could well seek to develop destructive attack capabilities in the near term.”
United States Federal Bureau of Investigation Director James Comey said of terrorist plots to attack the US with a cyber-attack: “We are picking up signs of increasing interest.”
We are probably some distance from a terrorist cyber-attack on Australia. We may be some time from fully securing the cyber defence of our infrastructure too. Smaller businesses, however, are better able to shore up their defence today.
Earlier this year, an investigation by NSW Auditor-General Grant Hehir found that systems managing traffic lights were “not as secure as they should be”. Controls to prevent hacks on Sydney Water, which manages the city’s water supply and sewage, were also found to be “not as effective as they could be".
Australia’s small and medium sized businesses need to take note too. They may not consider themselves to be obvious targets of terrorism. But cyber-terrorists may not be so discriminate. Having ‘Australian’ in the company name, having links to the government or a flag in a logo could be enough for those businesses to become a symbolic target.
The Australian Cyber Security Centre warns in its 2015 Threat Report: “organisations could be a target for malicious activities even if they do not think the information held on their networks is valuable, or that their business would be of interest to cyber adversaries.”
The motivations of cyber-terrorists are different. Cybercrime gangs attack business and organisations looking for data that can be monetised, so it’s in their interest that you remain in business. Cyber-terrorism is different: they are not after your money. They want to make a statement by destroying businesses and critical infrastructure.
Think of the potential consequences of a terrorism driven attack on your computer systems, your network and your customers.
So what can you do? Or rather, what should you do?: