News from The Globe and Mail


Tuesday, March 25, 2003

In what you could call a 21st-century version of civil defence, security experts are urging e-businesses and individual computer users to do their bit to protect the technology infrastructure against cyber attack.

"Everyone has a role to play in securing their own piece of cyberspace," says Mary Kirwan, senior director for business development at Kasten Chase Applied Research Ltd., a Mississauga-based data security firm, with clients including the U.S. National Security Agency.

But few are well prepared for the growing risk of a terrorist cyber attack that would disrupt electronic communications for the military, business and the public at large, according to John Heiman, director of product management for security products, at Redwood Shores, Calif.-based Oracle Corp., who has spent 14 years doing research and development for the U.S. military.

The greatest risk is not that military secrets will be compromised but that mercenaries or enemy sympathizers will hack into networks to infect them with viruses or malicious code, according to Major-General George Lampe, retired vice-commander of the Air Force Communications and Information Centre in Washington.

"If I was going to attack computer systems, I'd much rather corrupt their network without them knowing about it than shut them down," he says.

"It is not a matter of if but when it happens," says Mr. Heiman, who says e-businesses are as unprepared for cyber attacks as New Yorkers were for terrorist attacks before Sept. 11.

He compares the state of North American defences against hacker attacks to the Magineaux Line that the French mistakenly relied upon to stop the advance of German tanks in the Second World War.

"Businesses have to ask themselves what could happen to them if a virus were to enter their enterprise and shut it down. It could not just affect the business itself but the public at large," he says, noting that there were 98 widespread intrusions into U.S. military computers during the last Gulf confrontation.

"Nobody has really done very much about it other than putting firewalls in front of all their systems," Mr. Heiman says, noting that hackers are adept at finding holes in electronic barriers. "But people say, 'I've got these big guns in front of me. I don't need to worry.' "

Robert Offley, chief executive officer of Vancouver-based Fusepoint Managed Services Inc., urges companies to prepare "a virtual bunker" to protect themselves against cyber attack.

"I could see hackers with enough time and resources bringing the Internet down for 24 hours to 48 hours over the next 12 to 18 months. I think there is a real threat of that," he says.

It is a threat that is often misunderstood, according to Ms. Kirwan. Her concern is not that terrorists could take down the entire infrastructure in a single attack. But she warns that a concentrated attack on a single telecommunications company or some other key hub in electronic networks could have a cascading effect and bring all kinds of interconnected computer systems to a standstill.

Given that there have already been many cases of widespread random mischief caused by so-called worms or viruses, malicious code transmitted over the Internet, Ms. Kirwan says, "a targeted virus could wreak havoc."

With the Internet linking trading partners, businesses, consumers and government agencies throughout North America and the world, a cyberwar would respect no boundaries and terrorists might attempt to bring networks down by attacking the weakest link in the chain of interdependencies, Ms. Kirwan says.

"A Canadian company has to be concerned that it may be the weak link in a relationship with a U.S. trading partner," she says.

Ms. Kirwan notes that cyber attacks often surreptitiously co-opt the resources of thousands of computers in so-called zombie assaults on a single target. For example, a denial of service attack can be launched by getting each zombie computer to send a stream of electronic messages, so that the target is overwhelmed with millions of incoming e-mails.

"Well-meaning universities with super computers that are not secure and millions of individuals with insecure personal computers can play a role in all our demise," she says.

For those who do not feel that it is their patriotic duty to secure their computer systems, there are also compelling business reasons to do so, Ms. Kirwan says.

For one, there may be legal liability involved in a lack of vigilance that results in your organization's computer system being used to launch an attack on your trading partner and the data that you store in your computers may well belong to your clients, suppliers or partners.

"So it is probably an ill-judged decision to say that you have no role to play or that there is no price to be paid for a lack of attention to security," she says.

Ms. Kirwan urges businesses to review the value of the information that is stored in their computer systems and encrypt their sensitive data, paying particular attention to the access data that a cyber-terrorist or any other hacker might use to gain control of critical functions.

Mr. Heiman advises an in-depth approach that would ensure that security features are in place and properly implemented on every component at each level of a company's infrastructure.

He suggests using products that have been subjected to third-party security evaluation. He says programmers should also be on the lookout for software flaws, shortcuts and coding errors that could be exploited by hackers.

Businesses should also prepare for the worst with a viable disaster-recovery plan, says Ralph Dunham, Canadian manager for business continuity and recovery services at Markham, Ont.-based IBM Canada Ltd.

A disaster-recovery plan may include provisions for a complete breakdown of a company's normal infrastructure. For example, plans could be made for shipping equipment to employees' homes or other locations, so that they could resume operations as quickly as possible.

Plans should also ensure that the infrastructure has built in redundancy and that parts can be separated from the whole, so that a failure of one function would not bring down the whole system, Mr. Dunham says.

"Infrastructure components will fail. You need resiliency, so you can take a blow in any one area," he says.

Preparing your e-business infrastructure for a terrorist attack involves expecting the unexpected, says Mr. Dunham.

"We try to counsel organizations not to try to predict a scenario, because we learned on Sept. 11 that nobody had planned for that."

© The Globe and Mail