The U.S. government recently warned financial firms and services of an al-Qaida call for a cyberattack against online stock trading and banking Web sites. The Islamic militant group wants to "penetrate and destroy the databases of the U.S. financial sites," Reuters reported.
Should you care? Not if you have been doing your job.
The United States has been handling information warfare attacks for more than a decade, with varying degrees of success. Our biggest national failure has been defending against Class I information warfare, which targets personal information and is the backbone of identity theft, phishing and similar profit-oriented criminal endeavors.
Business has done better against Class II information warfare: company-to-company information conflicts and industrial espionage. In many ways it can be argued that American industry essentially has chosen to permit the continued theft of intellectual property, rather than institute appropriate (and perhaps politically incorrect) security policies and procedures.
The alleged al-Qaida threat is Class III information warfare. Nation-states, terrorists or other political and/or religious nongovernment organizations target their adversaries for nonprofit motivations, such as denial of service and systemic disruption, including psychological operations (PsyOps). Targeting the private critical infrastructures of perceived adversaries is called unrestricted warfare, as declared by the Chinese against the U.S. private sector in 1998.
Could the United States be promoting or exaggerating the al-Qaida cyberterrorism threat as a means to garner support for current U.S. policies? FUD - fear, uncertainty and doubt - is a powerful weapon that cannot be dismissed out of hand. Or is this al-Qaida using PsyOps, their own form of FUD? This form of FUD-based PsyOps, be it a videotaped beheading or the threat of economic meltdown, is a proven Class III weapon. A few years ago the Irish Republican Army effectively shut down London with a few well-placed threats. No bombs, no boom, but London was brought to a halt.
Let's say that al-Qaida has hired the best hackers and intrusion experts from the United States, China, Israel, Russia. Mass hiring on this scale is highly unlikely, but in examining risk, I like to turn up the dial full tilt to get a view of possibilities. Al-Qaida certainly has more than one guy on an oasis, but they do not have the power of DefCon. They do not have a magic switch to say, "Goodbye, New York Stock Exchange" or "Good riddance, Schwab!"
So what's the worry about al-Qaida and similar extremists? Two things. Al-Qaida conceivably could launch a zero-day denial-of-service attack against online banking.
The second worry reflects the insidious nature of those who threaten us. Islamic extremists openly avow they have been quietly insinuating themselves at all levels of our society. It does not take any stretch to envision a long-term machination of skilled and trusted technical types infiltrating our national critical infrastructures.
The greatest threats to our financial and other critical systems are from insiders. A coordinated cell of operatives (al-Qaida or other) employed within interdependent power, telco and financial centers is a more effective way of creating mass disruption than attempting to master the Internet as a weapon of mass destruction/disruption.
Whether the al-Qaida threat is construed as physical or cyber is irrelevant, as the defensive means is the same: regular in-depth profiles of the psychology and proclivities of trusted employees to whom we give the greatest access or control. Instead of repeatedly looking outward for threats to our infrastructures, we should be looking within far more than the current face of political correctness permits. "Trust but verify again and again" applies not only to technology but also to people.