Let nobody tell you IT security isn't exciting. No less an action hero than Bruce Willis is even now struggling into his vest for another Die Hard outing, this time to defend the free world against cyberterrorism. According to reports, the story centres on an attack on America's computer infrastructure that begins to shut the country down.
You and I both know that there's no such thing as a cyberterrorist. You can't blow people up on the Internet. Hollywood may think otherwise, but Hollywood can't tell fact from fiction. It thrives on fantasy: harmless enough, until people start believing it.
The US Department of Defense defines terrorism as "the unlawful use of — or threatened use of — force or violence against individuals or property to coerce or intimidate governments or societies." Cyberterrorism, it follows, must be terrorism conducted using or against one or more computers. But while there are plenty of instances of politically motivated hacking, mostly defacement of Web sites, a terrorist group has have never actually destroyed online infrastructure in order to elicit terror or kill people.
Gartner analyst Richard Mogull recently told ZDNet UK that although terrorists are undoubtedly using the Internet to communicate amongst themselves and as a research tool, their use of the Internet as a delivery vehicle for a significant, digital attack is not grounded in reality. "Despite the heightened sense of civilian unease and government vigilance in developed countries since 11 September, there hasn't been a validated case of 'cyberterrorism' worldwide. There have been no losses of life or property because of a digital attack," he told us.
Not that this has stopped politicans from hyping the issue. In November of last year, Conservative MP Mark Pritchard called for the appointment of a cybersecurity Tsar to protect the UK from "the clear and present danger to its national security" and claimed that imprisoned al-Qaeda members have admitted that their organisation has been attempting to develop cyberthreats to strike Western governments. Even the phrasing is stolen from Tinsel Town.
"Security experts", whoever they are, are frequently willing...
...to help. Former US intelligence officer Dan Verton interviewed some of the key security figures in the Bush Administration for his 2003 book, Black Ice: The Invisible Threat of Cyber-Terrorism. "While Bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse," said Frank Cilluffo, special assistant to the US President and adviser for external affairs at the Office of Homeland Security, back in June 2001. That may be seen as progress: mouse-related deaths worldwide still comfortably lag those caused by AK-47s.
The real danger of cyberterrorism isn't that it might kill you — it won't — but that the disproportionate amount of attention it gets reduces resources available for other, more pressing threats. According to security experts such as Bruce Schneier, the terrorist threat is over-hyped and the criminal threat is under-hyped: the latter is less sexy and more troublesome, and thus far less attractive to politicians.
Even former White House cyber security adviser Richard Clarke dislikes "cyber" and "terror" being used together. "Cyberterrorism is not a term I like," he said recently. "Many different groups use cyber-vulnerabilities, and it's hard to know who they are. Some may be terrorists, but not many. It's a very serious problem that costs millions, but it's not terrorism."
In other words, if there are terrorists benefiting from criminal activities online, the only way we'll find out is if we investigate the crimes we know about — not if we spend our time chasing after Hollywood villians. And that means good, old-fashioned police legwork — collecting evidence, collating cases, investigating the thousands of cases of real damage done to real people.
Unfortunately, the UK's National High Tech Crime Unit no longer exists, having been subsumed into the larger Serious and Organised Crime Agency. Questions are already being asked about how effective SOCA can be at tackling cybercrime, given its wide remit. Last month, a Manchester woman who had her computer files held to ransom by hackers had her case turned down by local police, and whereas the case would have been taken up by the NHTCU previously, SOCA would not comment at the time on whether it would pursue the case.
If the security agencies and politicians are serious about tackling terrorism, this is where to start — not with Bruce Willis but with Dixon of Dock Green.