WASHINGTON, D.C. -- Companies alone cannot protect themselves from cyberterrorism.
Governments, enterprises and industry groups have a role to play in combating the cyberterrorism that threatens critical elements of the U.S. infrastructure, more than 80% of which is in the hands of the private sector. Companies in vertical industries, from banking to utilities, play a critical role in the health of the country.
Walter Dove, an attendee at this week's Sector 5 conference, said Wednesday that a full-scale attack that brings down a regional power grid or "makes your toilet go the other way" is very unlikely.
"I think individual companies will face individual risks," said Dove, who works for the government, but declined to say which branch.
What can a single company do against an attacker who is targeting it to unleash terror in the country?
Well, 98% of security events involve systems that are misconfigured or unpatched, said Howard Schmidt, vice chairman of President Bush's Critical Infrastructure Protection Board. Having properly configuring systems can curtail many kinds of attacks cyberterrorists could pursue, he said.
There are five things a company needs to consider when faced with a threat like cyberterrorism: prevention, protection, preparedness, intervention and reaction, said Saul Wilen, CEO of International Horizons Unlimited, a national think tank based in San Antonio that specializes in terrorism prevention.
Companies need to simultaneously work on each element, though most tend to favor reaction. In his experience, companies focus 82% of their effort on reaction and 1% on prevention. Prevention is much more important because preventing an attack is always better than reacting to it, he said.
"We just haven't learned to do that," Wilen said.
Cyberterrorism is a unique threat to companies because preventing it requires working with other entities, such as the government and information-sharing and analysis centers. "No entity can effectively defend against cyberterrorism by themselves," said French Caldwell, who heads Gartner's knowledge management practice.
Figuring out the proper roles for governments, companies and industry organizations isn't easier, but it's necessary for a proper defense, Caldwell said.
How is cyberterrorism different than other forms of attacks? What can the government do? One example is where various intelligence agencies may have information that a sector is going to be attacked. That information can then make its way through proper channels to potential targets.
The FBI's National Infrastructure Protection Center (NIPC) is in position to gather information from various government bodies such as the Department of Defense, the National Security Agency and the Central Intelligence Agency, said Ronald Dick, the center's director. NIPC also plays a leadership role in the event of a crisis.
The government can also simultaneously play an advisory role to companies.
For example, information spreading and education is the main job of the New York Electronic Crimes Task Force of the U.S. Secret Service. This first-of-a-kind force is not focused on responding to criminal activity but on educating organizations, said Bob Weaver, assistant special agent in charge of the task force.
So far, the task force has educated 30,000 people about staying "ahead of the game," Weaver said. The New York branch has served as a model for other such task forces around the country.
Alas, Weaver's crew has some first-hand experience with conventional terrorism. Their offices in 7 World Trade Center were destroyed on September 11. With help from the private sector and a well-defined disaster recovery plan, they were able to get their voice and data links up within 48 hours.
"The best time to plan for such events is before. Trying to do it during the excitement of the event is like trying to change a tire on a car driving down the road," Weaver said.