Al-Qaeda launches an electronic strike on the West, dispatching worms and viruses via the internet. Parts of the National Grid are knocked out. Electronic Funds Transfer cannot take place; invoicing, ordering, distribution and payroll are affected. Diesel to run back-up generators is in limited supply. Food supply is disrupted and food that is on the shelves begins to spoil.
The public panics.
A far-fetched scenario? Not according to some experts and politicians who are urging retailers and manufacturers to prepare themselves not only for the possibility of an attack on their physical premises but for a cyber-terrorist attack. Many businesses remain dangerously ignorant of the threat, they warn. So how serious is it and what should businesses do?
The Home Office considers the threat of cyber-terrorism low compared with bricks-and-mortar attacks. But earlier this month we saw how the Sasser worm disrupted global banking and forced Britain’s coastguards to revert to pen, paper and radios after their electronic mapping systems, e-mail and other computer functions were knocked out.
That was just one worm. A simultaneous blend of terrorist-mounted computer-based attacks could cause mayhem. And Al-Qaeda is thinking about it, according to the White House’s homeland security adviser General John Gordon, who told a US security conference recently that Al-Qaeda had some expertise in the field.
Michael Fabricant, Tory shadow minister for economic affairs, believes that the UK is a prime target for cyber-terrorism and that the government is inviting trouble by not putting enough emphasis on it. He says: “Cyber-
terrorists could attack our nation’s infrastructure. Our electricity and gas supplies are all computer controlled. Al-Qaeda and other terrorist organisations may well adopt this tactic in the future. I believe that we need to be more prepared.”
Nick Ray, chief executive of intrusion prevention company Prevex, which is sponsoring the All-Party Internet Group inquiry into the Computer Misuse Act 1990, adds: “Few organisations do enough to protect themselves. The nature of the threat is shifting. Supermarkets need to try to keep abreast of the latest threat. People aren’t responding quickly enough.”
The statistics paint a stark picture. In the event of an attack, an alarming 13% of retailers would see their systems go down in the first hour of a blackout, according to an independent study in March by IT assurance firm CNN Group. Most systems would have crashed within 24 hours. Worryingly, far too many UK firms have a false sense of security when it comes to their disaster recovery strategy, suggests the Department of Trade and Industry’s 2004 Security Breaches Survey, published last month. Just 8% of the survey’s respondents had tested their disaster recovery plans.
The good news is that supermarkets are beginning to register the threat. Mike Jolley, security manager, information systems, at Co-operative Group, says it has identified the risk as high-level and Mark Trevorrow, Budgens Stores head of IT, says it is one of many real risks facing all businesses today. Some companies are beginning to put in place measures to counter the threat, although they are reluctant to go into detail.
The British Retail Consortium spokesman David Southwell explains: “The government is not happy for us or any company to talk about their prevention. The more information in the public domain, the more you are giving people who are trying to enact this. Companies will have received advice from security consultants and government not to talk about their plans.”
Asda goes one step further and says that publicity about such threats could push customers into panic buying.
Tesco, however, reveals that it regularly
reviews the risks and ensures that it has controls in place to mitigate them.
Jim Murphy, managing director of Costco UK, is even more forthcoming: “We have a plan where we could be up in 24 hours. We back up everything each night on disk and it is taken off-site by an armoured car service. If we had a disaster we have a recovery process. We will go off-site to a designated area set up to handle all our business needs.”
Costco has limited back-up generators and if the electricity was hit, dry ice and refrigerated trucks would keep product safe for a short time. “It would affect food supply if it went on for a long time,” says Murphy.
This is not the first time that retailers have had to consider a cyber-threat to their businesses. YK2, aka the Millennium Bug, prompted the first major effort by retailers to put contingency planning into place and many have used that experience to update their protection. Spar wholesalers have recovery plans in place and back-up servers. Experience from a recent telecoms problem in Manchester taught the company valuable lessons after it could not operate its electronic funds transfer systems.
But Prevex’s Ray doubts if preparations put in place for YK2 would be sufficient to handle the new threat. “Every major organisation has some kind of disaster planning but I think they would only work for a limited period.”
Graham Jones, director of Northern Europe for IT security firm Intergralis, which works with some of the leading supermarket chains, claims his company discovered four vulnerable entry points in one food retailer’s online service this month.
Meanwhile, the government continues to monitor the threat to the UK’s national infrastructure via the National Infrastructure Security Co-ordination Centre, which the Home Office established to advise on security issues.
But the experts all agree that businesses need to realise that cyber-terrorism is a real threat and take action to ensure they are as prepared as they can be.
As Stephen Timms, minister of state for e-commerce, says: “The battle to contain the information security menace will be a long one. However, it is a battle that businesses in the UK cannot afford to lose.”