For anyone who tracks cybercrimes, attacks and the insecurities that allow these activities to occur, I would expect at least some would acknowledge that e-crime and e-fraud are matters of concern for anyone connected to the internet – be they business or individual.
Some of those threats emanate from small pockets of the internet community, and appear as the e-crime equivalent of a startup. They are small-time, opportunistic, and looking for ways to monetise their innovations.
Of greater concern are the others, which present themselves as sophisticated, well-established criminal enterprises, and exhibit many of the behaviours you’d expect from a large corporation. These criminal organisations have an internal business logic, they invest in research, they want highly motivated staff, project plans – and above all, they want to make lots of money.
Given the existence of such sophisticated criminal networks, the notion of e-terrorists seems to be a little closer to reality than many of us would have hitherto believed, or even wished to accept.
Attacks against Estonia, and similar ones mounted against the UK and the US – the so-called Titan Rain emanating from China – already stand as proof that cyber technology can be used to launch attacks against high-profile organisations with some degree of success. But what if the use of technology was also aligned to other forms of attack? Would it be possible to target financial markets, or a specific sector of the economy?
Could it be that actions such as the recent terrorist outrages in Mumbai, where simultaneous targets were attacked, will be replicated in the virtual world? Extremist organisations may have seen the operational benefits offered by aligning cross-disciplined attacks, and could feasibly look to align physical attacks with cyber incursions, presenting the type of attack that current risk assessments have simply not even considered.
Such speculation remains in the world of the theoretical. But our position does seem to present three pertinent questions. Are those upon whom it is incumbent to protect the critical global and national infrastructure alive to the threats? Is the internet subject to sufficient governance and operational resilience to support the current levels of global commercial dependence? And are businesses prepared to face up to the next generation of threats or will they be caught out by operating in a reactive manner?
One must also wonder: do the good guys possess the same levels of imagination as the bad guys? And above all, in the wake of the credit crunch and the toxic debt sweeping our financial institutions, does it really make sense to save corporate spend on security? Is this simply short-sighted, and is it playing into the hands of the criminal fraternity and leaving the business client base exposed to insecurity?
Above all, how does the acceptance of cloud computing, and reliance on the internet fit in with these potential threats? Should business continuity and operational resilience play a greater role in assessing the case for cloud computing? Or is the pressure of profitability embraced as the only way to go? The notion of “live now, pay later” just may be too high a price to pay.