Since the attack on the World Trade Center on September 11, 2001, there has been considerable speculation about the possibility of cyber terrorism. In March 2000, a disgruntled Australian employee used the internet to release one million litres of raw sewage into the rivers and coastal waters of Queensland. Could terrorists use the internet to gain control of a nuclear power station, an air traffic control system or a military installation? The possibilities for causing mayhem in this way are limited only by the imagination, and the fact that it hasn’t happened yet does not prove that it can’t be done. Hackers have demonstrated convincingly that it is possible to penetrate highly sensitive government and military computers using nothing more sophisticated than a laptop computer and a connection to the internet. Is it only a matter of time before the West is held to ransom by terrorists operating from somewhere beyond the reach of legal or military sanctions?
Experts dismiss these suggestions by pointing out that critical systems are “air gapped” from external networks (i.e. there is no physical connection at all). But the Stuxnet worm managed to infect the Iranian nuclear enrichment program in spite of the presence of an air gap. And there are plenty of systems out there that are supposed to be air gapped – but actually aren’t. During testing of the Boeing 787 Dreamliner, it was found that no air gap existed between the aircraft’s control systems and the network used to provide passengers with in-flight internet access. If this vulnerability hadn’t been found during a routine FAA inspection, it might have enabled a passenger with advanced hacking skills to have a go at flying the plane.