8. Terrorism – The Case for ISO 27001

Chapter 8. Terrorism

Executive summary

Cybercrime is a serious issue. It may be a lesser danger to organizations than the effects of what is called ‘cyberwar’: cyber war is even less discriminate than criminal activity, but potentially more devastating. Every organization has a role to play in securing cyberspace against terrorist attacks.

Cyber-capabilities

On 12 September, 2001, the US General Accounting Office (GAO) reported that 24 US federal bodies, from the Treasury to the Pentagon, had computer systems ‘riddled with weaknesses’. It said that hackers could read or tamper with critical information. On 18 September, the Nimda worm infected and shut down 100,000 computers worldwide within 24 hours. Every significant terrorist or criminal organization is believed to have cyber-capabilities and to have become very sophisticated in its ability to plan and execute attacks using the most recent technology.

Eliza Manningham-Butler, Director General of the UK’s Security Service, said this at the 2004 CBI annual conference: ‘A narrow definition of corporate security including the threats of crime and fraud should be widened to include terrorism and the threat of electronic attack. In the same way that health and safety and compliance have become part of the business agenda, so should a broad understanding of security, and considering it should be an integral and permanent part of your planning and Statements of Internal Control; do not allow it to be left to specialists. Ask them to report to you what they are doing to identify and protect your key assets, including your people.’

More than 400 million computers are linked to the Internet; many of them are vulnerable to indiscriminate cyber-attack. The critical infrastructure of the first world is subject to the threat of cyber assaults, ranging from defacing websites to undermining critical national computer systems. In February 2003, the White House published the National Strategy to Secure Cyberspace States, in which the President recognised that securing cyberspace would be an extraordinarily difficult task, requiring the combined and coordinated effort of the whole of society and that, without such an effort, an infrastructure that is ‘essential to our economy, security and way of life’ could be disrupted to the ‘extent that society would be debilitated’.

ISO 27001

Every organization has a role to play society’s survival of a terrorist attack, which is to ensure that it has a reasonable prospect of survival. The standard provides guidelines that, when deployed, reduce the organization’s level of exposure to the impacts of terrorist attack while improving its own business continuity arrangements.