The Next Terrorist Attack: Coming Soon To A Computer Screen Near You?

Consider how such a nightmare scenario would affect us all if the cloud persisted for weeks, months–even years.

Some scientists believe this is actually part of what happened to our planet far back in its history. Science buffs will recall that one theory of how the dinosaurs became extinct is that a huge asteroid hit the Earth, creating a global cloud that blocked sunlight, causing tremendous climatic changes that eventually killed the huge creatures off.

Today, there are some who believe that a terrorist strike at our interconnected computer systems could have the same kind of cataclysmic effect on the worldwide economy.

While news media are focusing on the prospect of a biological attack in the wake of the events of Sept. 11, our computer systems remain vulnerable to a cyber-attack that could literally bring business activity to a grinding halt–not only in the United States, but worldwide.

According to Clint Harris, vice president at Conning & Company, a research organization based in Hartford, there is "tremendous concern in terms of loss if there are viruses that could bring down the entire Internet. That is a potential."

Mr. Harris compared the impact on financial services of the Internet going down to that of "an asteroid striking the Earth."

Lets stop and consider that kind of impact for a moment. Financial services, as well as most other industries, has come to rely heavily on the Internet for transactions, marketing, day-to-day operations and even distribution (although the insurance sector neednt worry about the latter).

Were the entire Internet to fail, literally millions of transactions might be lost, or at best take weeks to recover and be recorded on paper. On the insurance side, communications among brokers and carriers and customers would be seriously compromised. Certainly all business activities that use e-mail would immediately cease.

And, if such an attack were to also affect telephone communications, how would any financial commerce take place?

Unquestionably, such a huge blow to our communications infrastructure would severely damage an already reeling economy. Insurance claims from failed businesses just might exceed the ability of companies to pay them.

The results would be chaotic–just the sort of thing that would make a terrorist smile.

Mr. Harris is the author of a study entitled: "Cyber-Security for Insurers: The Virtual Fortress?" Among other things, that study–the release of which preceded the Sept. 11 attacks–concludes that the industrys "somewhat laggard entry" into online distribution of policies and services "may now be exposing their customers, business partners and themselves to massive losses caused by breaches in security."

Why is insurance particularly vulnerable? First, said Mr. Harris, insurers have tremendous assets, which makes them a target. "Insurance is also a target because of its reliance on interconnectivity with other enterprises and businesses, including agents and branch offices," he added.

Then there is the fact that most insurers still use multiple computer systems, including legacy systems, noted Mr. Harris. "Multiple systems complicate the systems environment, and the greater the complication, the greater the potential for vulnerability," he warned.

The specific threats to insurance and other business systems include denial-of-service attacks (in which Web sites are deluged with bogus e-mails and requests to the point that they function very slowly or not at all–thus, denying service to those who legitimately want to use them).

An even greater danger, however, might be posed by hackers who create malicious codes that alter or destroy critical data, Mr. Harris noted.

"No matter what you do, you will never be totally secure," according to Mr. Harris. He added that a coordinated cyber-attack on the United States–and perhaps all of the free world–"is certainly possible."

Even a novice hacker who knows nothing about spreading viruses can go to certain Web sites and get the tools to build and deploy something malicious. But think about how much more dangerous such an attack would be if it were launched by experienced programmers hired by a terrorist group or rogue nation.

"That may be an event thats occurring," Mr. Harris pointed out. He noted that during the recent downing of the U.S. reconnaissance plane in China, there were reported cyber-attack efforts between the United States and China.

Those who wish to launch such attacks on a grander scale, said Mr. Harris, have the ability to "be remote" and to set up operations "almost anywhere in the world." That would seem like an ideal modus operandi for a terrorist group.

"Can [terrorists] accumulate the talent and do it? Weve already seen some evidence" that it is possible, Mr. Harris asserted. "The federal government obviously considers this a serious threat. Now there is greater urgency."

What would be the dollar cost of a major concerted attack? "Who knows?" said Mr. Harris. "It could be a tremendous amount of money."

Mr. Harris reported that in 2000, there were security-related losses of $26.4 billion for all industries in the United States alone, and that didnt include "soft costs," such as the need for additional marketing, or the theft of hardware.

The same figures for 2005 are projected to be $43.6 billion in the United States, but Mr. Harris pointed out that those projections were made without considering the effects of a terrorist attack and the attendant fallout.

So, how can we in this industry protect ourselves against the possibility of going the way of the dinosaurs?

"It begins with the process of building security into all of your processes," said Mr. Harris. "Security as a bolt-on is less likely to work and more expensive in the long run."

Mr. Harris recommended that insurance companies appoint someone to head up the effort to develop and implement Web security policies. "That individual needs to be on a management level that reports directly to the CEO. This is very important," he explained.

Once policies are in place, security procedures should be regularly reassessed, especially in terms of new vulnerabilities that might come to light, said Mr. Harris. This is probably best done by an outside firm that would be less biased and would provide a "broader view," he added.

I would add that each of us, as an individual user at home or at work, needs to do his or her part. We can start by taking simple precautions, such as backing up our work and keeping the copied files in a different location than our computer.

If youre a broadband user, turn your computer off when youre not using it. Leaving your system on leaves you vulnerable to hacking, because broadband connections are "always on" while the PC is powered up.

Finally, get and use a good virus detection program. Be sure to update that program at least a few times a month–and every time you hear about a new virus thats going around.

Sure, all these precautions are an inconvenience–and some might be costly–but keeping the lines of business communication open is well worth the annoyance and cash outlay.

Lets face it, Osama bin Laden probably wont be upset if he cant access his online Buddy Chat for a few weeks. Having our business Internet links removed, however, could be a recipe for further disaster in financial services and in the world of business altogether.

As they used to tell us in the Boy Scouts: Be prepared.

Ara C. Trembly is National Underwriter's resident tech guru. He can be reached at atrembly@nuco.com.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, October 29, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Contact Webmaster