In the interest of moving to the next phase in our discussion, let’s assume that terrorism is defined as an unlawful use or threatened use of force or violence against people or property to coerce or intimidate businesses, governments or societies. We can now tack on the term “internet” to explore how the definition changes and the impact of those changes on information security. By building the term “internet terrorism”, we are saying that violence and physical harm can be conducted electronically. Now I don’t believe that this is the intent, but in essence layering intent upon intent has now diluted our definition. This causes confusion and forces us to lean upon our beliefs, environment and current situations to form a definition. This does not provide us with any greater capability in tracking or monitoring and just seems to muddy the waters even further.
So how we identify the threat and what can we do to protect ourselves? Internet terrorism is really about two separate uses of the Internet. First, a terrorist can utilize the Internet as a vehicle to cause outages and denial of services with an overarching message to instill fear and to threaten physical harm. From an information security point of view, we can readily understand this first point since we experience this noise today within on our networks. The attacks are targeting our assets to cause electronic pain and fear with our Internet presence. But as we know, attacks that are conducted against our organizations can originate from many diverse groups with for different reasons. Former employees, competitors, or fraudsters can have justifiable reasons in their mind to electronically cause you pain or reputation harm. It becomes apparent that the campaign against Internet terrorism using the Internet in this fashion may stem from known terrorist in the real world who has conducted violent or harmful crimes to invoke fear. The challenge is to know when these seemingly “innocent” attacks actually become terror. Does the act require a certain number of members, a certain political/ideological principle, or a certain funding to be considered terrorism? Can one person be considered a terrorist? These are great questions that need a clear definition to gain the appropriate buy-in and funding within an organization. Since the activity and characteristics are not well defined, the message today will be a hard sell for information security professionals and will get lost in the shuffle of shifting priorities. Likewise, when the terrorist begin to electronically target organizations and prevent services from working, companies today would see the threat as noise since there is nothing that distinguishes them from the rest of the pack. The challenge is determining how to distinguish the noise that is normally experienced from an actual terrorist activity.