Hacked off by the hype about cyber terrorism

Just as IT security firms have a vested interest in talking up hacking, there’s an agenda in cyber scaremongering.

Stoking up overhyped fears never used to be the province of government. Until the recent ‘mistake’ – when warnings against terrorist attack by chemical weapons or nuclear ‘dirty’ bombs were ‘accidentally’ issued to the press – we relied on government to take a more measured approach, weighing up the risks of attack against the risks of hysteria, and giving sensible advice. That was before it pulled out all the stops to justify a war on Iraq.

Inevitably these days we can’t talk about the bogeymen of terrorism without talking about cyber terrorism. Nefarious characters with murder in mind populate the radio waves and the internet, we’re told, as much as the caves of Afghanistan.

Those fears seemed to be borne out with the arrest of Gary McKinnon, an unemployed Londoner, on accusations of hacking into several US government computer networks, then implanting a Remote Access Trojan to allow him, reportedly, to scan 65,000 computers. If a lone hacker could crack open the networks of the most security-conscious nation on earth, what chance does the average company stand of avoiding disaster?

Yet the fears of hacking are grossly overestimated. Yes, there are cases when clever hackers or even not-so-clever script kiddies exploit openings in corporate networking defences. But just how serious are the risks of cyber terrorist attacks, and indeed ordinary hacking attacks, in the UK? Not very is the real answer.

Anyone who’s ever attended a computer security conference will know this routine. A couple of ‘reformed’ hackers stand up and tell the audience, ‘I know ways to get into any British airport security system, you could take down air traffic control, anyone with even a basic hacking knowledge could get into the electricity power grid and start closing power stations.’ And this was before September 11.

The question the hackers never seem able to answer is this: if these hacks are so easy, how come nobody has done them? Surely it can’t be because all hackers are so upstanding they wouldn’t dream of using their powers in such a way. There are enough fruitcakes and sociopaths to take out the occasional air traffic system if they could.

So perhaps it hasn’t been done because actually it’s difficult, even with today’s increases in computer power. Even with the internet. Because security systems generally do work.

The latest scare has been over wireless networks. The rising use of wireless networks has led to cases of ‘drive-by hacking’, where hackers sit outside buildings in anoraks, or even pass by in cars, and listen in on corporate goings-on. At least, so we’re told. To add insult to injury, the only equipment such hackers need, apparently, is an empty Pringles tin to use as an aerial. And presumably once you’ve popped one network, you just can’t stop.

While it’s true that wireless networks open up security problems, the chances of someone caring enough to sit outside in the cold to read flirtatious e-mails between your staff are quite slim. Because unless you know what you’re looking for, most of the information on corporate networks is not very valuable. Rather than facing menace from random hackers, IT systems are more vulnerable to attack from the hundreds of people the firm just laid off, whose passwords can still be used to enter the system.

Of course, this doesn’t mean companies shouldn’t protect themselves against attack. Firewalls go without saying. You can encrypt your wireless networks, if you fear their exposure. Network intrusion software is also a good idea, as it lets you know if any determined hackers are targeting your company. If you run an e-commerce operation, you have a duty of care to keep customers’ payment details private. But unless you are in charge of the national grid, or air traffic control, you don’t need enormous security operations.

The reason why hackers like to scare companies is they have a vested interest in talking up fears. They get paid to solve hacking problems. Computer security firms never tell you that hacking is a minor problem: faced with the small incidence of attacks that make it into the public domain, their response is that they know many more companies that have suffered breaches, but they’re not allowed to talk about them for security reasons. They would say that.

In getting in on the cyber terrorism scare, government is playing the same game. Talking up the fear of hackers is a handy way of justifying draconian laws that force companies to hand over electronic data to government scrutiny. These laws are not only frightening in their implications on privacy, they also impose an unreasonable burden on firms.

So, as businesses and as citizens, we should be less panicky about hacking, and far more worried that the increasingly authoritarian tone coming from government in the US now finds an echo in the UK.

Fiona Harvey is technology writer for the Financial Times