Report: Tech Firms Vulnerable to Terrorists

While utility and transportation companies are told to be on alert Sept. 11 because of heightened terrorist threats, a survey released Monday finds that 30 percent of private companies' computer systems aren't adequately prepared for a cyber-attack.

Experts say that while action has been taken to protect the nation's water supply, nuclear power plants and seaports, private companies whose infrastructures are tied to the world's computer networks are still vulnerable to attack. Power and communications could be knocked off at the most critical time -- during another terrorist attack.

"Someone could conceivably launch an attack on the physical world by going after a power station or water supply, and at the same time launch a cyber-attack in order to knock down communications and emergency response – it clearly can be done," said Douglas Goodall, CEO of Red Siren, a Pennsylvania-based computer security company.

Red Siren joined the Internet Security Alliance and the National Association of Manufacturers Monday in releasing a global security survey that found that nearly one third of companies do not have adequate plans for dealing with a range of cyber-attacks, from Web site vandalism and information theft to all-out terrorism. Thirty-three percent said cybersecurity "is not a visible priority" at the upper echelons of their organizations.

The survey was conducted from Aug. 12 through Aug. 23 and targeted technology specialists at 225 firms around the world. According to survey officials, the firms included small, mid-sized and large entities dealing with everything from utilities to banking and financial institutions.

Eighty-eight percent of participants said that following the Sept. 11 attacks, their companies recognize the need for computer security, but 39 percent said that such security plans are not communicated to, or reviewed by, top corporate executives.

"This seems to indicate a bit of disconnect between the perception of the general threat of cyberterrorism and specific concern about one's own organization," said Tom Orlowski, vice president of information technology at NAM.

"They need to turn awareness into action," said Goodall. "That is the message that we and the ISA and NAM wanted to send with this report."

Their survey comes a week before the White House releases the long-awaited National Strategy to Secure Cyberspace at Stanford University on Sept. 18. According to Tiffany Olson, a spokeswoman for White House cybersecurity czar Richard Clarke, the hefty document will include post-Sept. 11 security strategies from several key sectors, including utilities, education, banking and finance and government.

"It identifies their strategies and their vulnerabilities," she said. On the report issued by the three groups on Monday, she said the White House agrees there is much more to be done, "but we want to make it clear that a large number of companies are contributing a lot to protecting cyberspace."

According to the Computer Security Institute, which tracks security breaches, viruses and network break-ins, estimated losses due to such vulnerabilities could have reached nearly $1 billion so far in 2002.

Out of its annual survey of 503 computer security practitioners in U.S. corporations, government agencies, medical institutions and universities, 80 percent acknowledged financial losses due to attacks; 223 were willing to put a price tag on their losses and reported nearly $456 million lost.

The CSI survey, released last spring, also found that 90 percent of respondents detected a computer security breach in the last 12 months. Twelve percent reported the theft of consumer transaction information, six percent reported financial fraud, 70 percent reported Web site vandalism from hackers and 55 percent reported denial of service attacks.

"The United States' increasing dependency on information technology to manage and operate our nation's critical infrastructures provides a prime target to would-be cyberterrorists," said Bruce Gebhardt, a former FBI agent and executive assistant director for CSI, when the report was released.

The Computer Emergency Response Team at Carnegie Mellon University, reports that 143,505 incidences of security breaches, involving in some cases thousands if not hundreds of thousands of sites over an extended period of time, have been reported to the center since 1988. In 2002 alone, 43,000 incidents were reported, compared to six in 1988.

"It's getting easier and easier to launch more devastating attacks because of the tools out there," said Goodall, who noted that nearly $50 million was lost in 2002 due to personal financial information being stolen and used by perpetrators.

Of course, the unspeakable breach would be an act of war involving critical infrastructures, he said. "That's what cyberwar planners are thinking about – the possibility of a physical attack dovetailing with a cyber-attack."