WASHINGTON, D.C. -- 'Digital Pearl Harbor' is a term that was coined by Sen. Sam Nunn more than 10 years ago. The Georgia senator theorized that terrorists could use technology to attack systems critical to the proper functioning of modern society.
In 2003, most IT security administrators who don't deal with critical infrastructure, like utilities, financial services and the government, scoff at the possibility. But as Gartner Inc. researcher French Caldwell pointed out Monday during the Gartner IT Security Summit, prior to September 11, most would have scoffed at the possibility of terrorists flying airliners into the World Trade Center.
Caldwell detailed the outcome of a war game created last July by Gartner researchers and the Naval War College. The project combined the efforts of 80 Gartner clients who owned or managed critical infrastructure, affording them the luxury of playing terrorist for two days and creating a "digital Pearl Harbor" scenario. Caldwell said this was a tabletop exercise, and no hacking was done on any system.
Instead, the real-life security administrators and officers were divided into groups focused on industries such as financial services and telecommunications. These faux terrorists created a dire scenario in which the country's economic, transportation and communication infrastructures were simultaneously attacked and thrown into chaos.
"These scenarios require significant planning, resources, time and money," Caldwell said. "But they are feasible. All of these elements played into September 11, as well -- money, time and planning."
Those taking part in the digital Pearl Harbor were given nearly unlimited resources to create their terror scenarios. They first decided to acquire a technology company that makes IT management systems for electrical companies, enabling the group to get access to systems. Eventually, this access could be used to attack the four major power grids in the U.S., opening and closing relays, for example, and causing cascading outages nationwide.
Caldwell then explained that one team within the group, the financial services cell, agreed to purchase thousands of slave servers positioned worldwide to deploy denial-of-service attacks on a specified date and time. The telecommunications cell, meanwhile, found six Canadian fishing trawlers for sale on the Internet along with a sea plow for each. They decided to use these to cut the six major transatlantic cables connecting the United States to Europe, interrupting communications potentially for up to six months.
Granted, these are lavish scenarios, not necessarily likely to be part of a successful terrorism attack. Terrorists prefer physical attacks and blood to bits and bytes. Still, Caldwell said, the underlying message is that enterprises need to follow best practices, establish reliable security standards for infrastructure and focus on software quality. The government should establish an early warning system, he said.
FOR MORE INFORMATION: