​The cyber-terrorism threat and how to protect your business

Damien Manuel

  • CISO – Australia & New Zealand, Blue Coat
Damien Manuel is Chief Information Security Officer (CISO) for Blue Coat, now part of Symantec, in Australia & New Zealand. With more than 20 years of business, governance and ICT experience in security, Manuel leads Blue Coat’s team of consultants in the region, carrying on the company’s legacy of delivering the best possible protection against advanced adversaries. He works with senior IT executives from Blue Coat’s customers to help ensure they align their security architectures to industry best practices. Before his appointment as Blue Coat’s CISO, Manuel worked as a senior information security governance manager and later as an enterprise IT and Security risk manager at National Australia Bank (NAB) and was responsible for managing the banks’ Information Security Standard globally. Prior to NAB, Manuel was an account director at RSA, where he was responsible for enterprise accounts with a major emphasis on financial services and telecommunications. He also held senior roles at Telstra and Melbourne IT. He is currently on CompTIA’s executive advisory committee and is the national branch director for the Australian Information Security Association (AISA ). Manuel holds an MBA from the University of Melbourne; a Project Management Diploma from the University of New England; a Post Graduate degree in Genetics Engineering from Monash University; and a Bachelor degree in Education majoring in Chemistry & Biology from the University of Melbourne.

In my childhood, terrorists were people who hijacked planes. Now it seems more complicated.

The UK’s Chancellor George Osbourne issued a stark warning following the terrorist attacks in Paris this month. As security across Europe was ramped up in the form of armed police patrols and more stringent border checks, he told intelligence workers: "From our banks to our cars, our military to our schools, whatever is online is also a target. If our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost."

He added: "[Terrorist groups] do not yet have that capability. But we know they want it, and are doing their best to build it."

Terrorists are increasingly tech-savvy. One need only look to the likes of ISIS whose reach online goes beyond the borders of their so-called state. Their use of online recruitment is potent and powerful. They post slickly produced and graphic propaganda videos. They are social media experts with excellent skills and an understanding of psychological manipulation. They have the expertise to avoid detection by cyber-surveillance.

Their hacking skills are not so sophisticated. However, that’s not to say the threat they pose isn’t real, isn’t growing and isn’t maturing. The technological, ability and financial barriers to terrorists developing effective attacks are fast diminishing. If they don’t develop it in-house they will acquire it directly or indirectly.

ISIS’s online projection of strength appeals to young, computer-savvy foreigners, many of whom have decent IT skills that could be used for “hacking” with the right level of coaching and mentoring.

Former head of the ASIO, David Irvine said last month: "While terrorist organisations have not yet exhibited sophisticated cyber-attack capability, we must anticipate…that they could well seek to develop destructive attack capabilities in the near term.”

United States Federal Bureau of Investigation Director James Comey said of terrorist plots to attack the US with a cyber-attack: “We are picking up signs of increasing interest.”

We are probably some distance from a terrorist cyber-attack on Australia. We may be some time from fully securing the cyber defence of our infrastructure too. Smaller businesses, however, are better able to shore up their defence today.

Earlier this year, an investigation by NSW Auditor-General Grant Hehir found that systems managing traffic lights were “not as secure as they should be”. Controls to prevent hacks on Sydney Water, which manages the city’s water supply and sewage, were also found to be “not as effective as they could be".

Australia’s small and medium sized businesses need to take note too. They may not consider themselves to be obvious targets of terrorism. But cyber-terrorists may not be so discriminate. Having ‘Australian’ in the company name, having links to the government or a flag in a logo could be enough for those businesses to become a symbolic target.

The Australian Cyber Security Centre warns in its 2015 Threat Report: “organisations could be a target for malicious activities even if they do not think the information held on their networks is valuable, or that their business would be of interest to cyber adversaries.”

The motivations of cyber-terrorists are different. Cybercrime gangs attack business and organisations looking for data that can be monetised, so it’s in their interest that you remain in business. Cyber-terrorism is different: they are not after your money. They want to make a statement by destroying businesses and critical infrastructure.

Think of the potential consequences of a terrorism driven attack on your computer systems, your network and your customers.

So what can you do? Or rather, what should you do?:

  • Be aware that your business may have to deal with cyber terrorism either directly or indirectly (indirectly if your suppliers are impacted). Ensure you factor this into your business scenario and resilience planning.
  • Place more emphasis on security in your organisation. It doesn’t mean you need to have a dedicated CISO or CSO, but it does mean that you need to address security as a priority and take ownership to address the challenges. This could be at the CIO, CEO or board level.
  • Don’t view solving security problems as an insurmountable task. It is possible to improve security in your organisation through education, communication, tools that provide visibility and business process improvements.
  • Think about the weak points in your business, think like an attacker to understand where you might be vulnerable and implement controls, processes and systems to address or reduce the risks associated with those weaknesses.
  • Visibility of security in your business will be critical going forward and will provide the foundation data to help guide your decisions towards the appropriate investment of time, money and people in the future.
  • Share your concerns and challenges with other CISOs, CSO, CEO etc - a problem shared is a problem halved.

Tags: hacking, cyber-terrorism, Isis, CSO Australia, George Osbourne

Show Comments