Information Age: News, analysis & insight for IT & business leaders

On the evening of 14 August 2003, America’s North Eastern states were plunged into darkness by the biggest blackout in its history. Amid the chaos and confusion, 256 power plants were shut down, including several nuclear power plants, TV and mobile phone communication ceased, and air traffic was thrown into turmoil as airports were closed.

The immediate public response was to assume the worst – a terrorist attack by Al-Qaeda – with speculation that this was its first successful electronic attack on a national critical infrastructure. The fact that the root cause was a massive power fluctuation did little to dampen the public imagination of how cyber-terrorists could wreak havoc by taking down key institutions. It also prompted a flurry of articles and books – some pure fantasy, others based on a deep understanding of the dangers – outlining the risks of a large-scale, cyber-assault by extremists.

Since that time, however, opinions on the real extent of the threat have been polarised. And while it is right to question the validity of predictions of an electronic apocalypse, a rash of over-scepticism has, during the past few years, served to obscure the true risks.

As numerous security experts told Information Age during the research of our cover feature this month (mostly speaking off-the-record, to protect their organisations), the growth of convergent networks has, in particular, vastly increased the number of network weaknesses. While a large-scale cyber assault would require deep technical knowledge or insider collaboration, such vulnerabilities mean “it is do-able, and because it is do-able, it will happen”, argues David Lacey, one of the UK’s most respected security commentators.

And the evidence to back that prediction is not hard to find. Our feature highlights frequent focused attacks by activists, criminals and even intelligence agencies on government departments, broadcasters, defence establishments, pharmaceutical companies, financial services firms and a host of other groups.

Whether hacking, the deployment of malware, a denial-of-service attack or some other technique, these assaults can prove devastating if left unmitigated, as data is leaked or corrupted, systems taken off line or services suspended. Arming the organisation against such threats should be a priority for many IT departments, but as one security officer at a major music broadcaster commented, this is not currently the case.

As Phyllis Schneck, chair of the FBI’s InfraGard programme, stresses, those countermeasures will also need to involve interaction, knowledge-sharing and transparency among businesses and public agencies. Only then is the IT community going to be able to ensure it can, quite literally, keep the lights on.