Chief research officer John Gantz says a war will “galvanise the hackers among the terrorist ranks to use their skills, perhaps in a co-ordinated way to create disruption via denial of service attacks, intrusion or even physical attacks on key network assets”.
The denial of service attacks on the 13 internet DNS root servers on October 22 shows the blueprint for such attacks, says IDC. And one hacker, known as Melhacker (Vladimor Chamlkovic), has threatened to release a “megavirus” if Iraq is attacked.
IDC New Zealand believes it is “most likely” that the New Zealand offshoots of overseas organisations will suffer “tail-end effects”, though it all depends on the seriousness of any Iraqi war.
While New Zealand IT vendors report few extra fears from their customers, Auckland-based outsourcer Cogita suggests terrorism is one more reason why firms should beef up their security.
CEO Margaret Brown says Cogita itself suffered a cyber-terrorist attack during recent tensions between the US and China -- a Chinese hacker posted “death to Yankee imperialists” on the Cogita website.
Cogita's marketing speaks of “terrorism recovery planning” and warns that governments and regulatory agencies may soon demand security-related certification just as it did with Y2K, and similar guarantees of non-disruptable service delivery. Brown says increasing numbers of firms are approaching her about security fears, though this is more about general hacking than anything political.
Roger Cockayne, CEO of Auckland-based Hosted Data Services, is aware of growing fears over cyber-terrorism in the US, but says New Zealanders appear unconcerned about threats or legislation.
“But it is only a matter of time for something to happen. It usually takes another country to set some standards,” he says.
The Information Technology Association agrees, with CEO Jim O’Neill believing standards will come from international agreements with global bodies like the UN, APEC and European Union.
Many organisations are pushing security and cybercrime, says O’Neill, and such legislation would be likely for critical infrastructure protection. Banks, utilities and the health sector already do much here, but he doubts other groups would be affected as “in New Zealand, we struggle to get organisations interested in basic security”.
ITANZ says the security industry is frustrated by a low take-up of security-related products and services and Cogita deserve credit for selling security in this way.
However, Computer Associates accuses Cogita of "unfounded scare tactics" by speaking of new legislation. Even so, Sydney-based security consultant Daniel Zatz says it is essential governments and organisations have processes in place to deal with disasters to keep businesses runnings. This includes having firewalls, anti-virus software, regular back-ups of data, plus planning and risk assessment.
As for our own government, no new legislation is imminent, but already various departments operate a risk management approach to security based on a priciple of "acceptable risk". This is outlined in the manual Security in the Government Sector. Firms are also encouraged to use products evaluated under the Australasian Information Security Evaluation Program (AISEP).
Mike Spring, the director of Information Systems Security at the Centre for Critical Infrastructure Protection (CCIP), says the International Standard ISO17799: Information Security Management provides very good guidance in this area, helping firms measure and control the level and type of security appropriate for their business.
The Government Communications Security Bureau website also publishes the NZ Security of IT (NZSIT) series of publications. The CCIP also advises firms on what to do, and lists recent threats, vulnerabilities and incidents. An "outreach programme" is raising security awareness with the private sector and government departments, says Spring.
"All these programmes will continue to raise the standard of security and protection from information borne threats," he says.
The CCIP says it is aware of repeated predictions of cyber-terrorist threats, adding that hacking for political ends happens every week.
"Use of the internet to support or promote actual physical attacks may occur," Spring says, but for the CCIP to make such predictions would be "both alarmist and counter-productive".
This is the last On the Job column I will be writing. Cyanide threats in Auckland's Viaduct Basin aside, I leave New Zealand later this week to seek my fortune in the relative safety of, er, Australia.