Gartner labels cyberterrorism a dud

Governments, after years of fruitless hysteria, are shifting their national security focus away from the threat of cyber attacks launched by terrorist groups to enhancing eavesdropping capabilities to monitor such groups, according to Gartner’s research director for information security and risk, Rich Mogull.

All but dismissing the cyber terror threat, Mogull claims that, after much publicity, it has failed to materialise in all but theory.

"There has not been a single case; we’ve talked with governments, businesses and the military and there has not been a single occurrence," Mogull said, adding that the high availability of those willing to die for a terrorist cause was of far more immediate concern.

Rather, western cyber efforts against asymmetric threats were being deployed to leverage intelligence from the Internet, which terror groups have readily used to facilitate communications between members and promote their causes.

"Governments are dealing with this and [the US and allies] are monitoring and looking… for example we have now eliminated the ability of certain groups to use mobile phones. The same goes for satellite phones because when they use them we blow them up,” Mogull said.

Asked if the capability existed for agencies to text mine cyber chatrooms, Mogull said it was highly probable, while cautioning it “is not everything".

Mogull said that critical infrastructure protection, especially utilities, will continue to face challenges, not least because many SCADA (Supervisory Control and Data Acquisition) systems now used Windows-based front ends that were highly vulnerable. To counter this problem, Mogull said it was necessary to decouple such machines from the Internet at large.

"You need to separate physical systems (those that control physical actions such as water or electricity) from enterprise systems. You need a virtual air gap," Mogull said, adding that if companies involved in critical infrastructure failed to secure their IT, there was always a helping hand ready to assist.

"If critical infrastructure cannot regulate itself, the government will step in and regulate it. [That said] governments, including the US government, do not always do the right thing. I’m [not saying] regulate more, but regulation certainly needs to exist," Mogull said.

He estimates that it will initially cost around 8 per cent of a utility company’s annual IT budget to become compliant with critical infrastructure IT security standards, a cost that would then decline after it was rolled out.