How vulnerable are we to a cyber attack?

The Eastern seaboard was thrown into panic last August when it was hit by a massive power cut which caused widespread disruption. Traffic lights failed, trains stopped running, people were trapped in lifts and business ground to a halt.

Mass panic was caused by the initial belief that the power failure was the result of a terrorist attack.

This was discovered not to be the case, but when the possible implications were combined with memories of the 9/11 attacks on Washington and New York, it's understandable why the possibility of 'cyber-terrorism' entered people's minds.

The term has been thrown around for some time now, with varying degrees of associated doom and gloom, but its definition is far from uniform.

"Cyber attacks target the computer or telecoms networks of critical infrastructures, such as power systems, traffic control systems or financial systems," is the official US government definition.

"Cyber attacks target IT in three different ways. First is a direct attack against an information system 'through the wires' alone [i.e. hacking].

"Second, the attack can be a physical assault against a critical IT element. Third, the attack can be from the inside as a result of compromising a trusted party with access to the system."

The White House is treating the threat seriously, advising citizens to be prepared to do without services they depend on that could be disrupted, such as electricity, telephones, natural gas, fuel, tills, cash machines and internet transactions.

But the White House definition is only one of many. And that's causing confusion, according to Symantec Security Response senior research fellow Sarah Gordon.

"If you ask 10 people what cyber-terrorism is, you will receive at least nine different answers," she explained. "When those 10 people are computer security experts, the discrepancy moves from being comedic to rather worrisome."

The UK government has set up the National Infrastructure Security Co-ordination Centre (NISCC), a cross-government and industry body intended to protect the "critical national infrastructure" from electronic attack. But it is slightly less alarmist than its US counterpart about the threats posed.

"In terms of the current threat, we consider the chances of a serious denial-of-service attack to be low. That's been the case since the NISCC has been in existence," stated a Home Office spokesman.

If you believe the doom-mongers, electronic Armageddon is just around the corner. But those in the know are less convinced about the threat.

"The former White House advisor Richard Clarke said that cyber-terrorism attacks are very, very bad and we should prepare for them," said Forrester Research vice president and research director Steve Hunt.

"It's not very, very possible because we don't see any indications that there is a probability that they will occur."

Fellow analyst Gartner holds a similar view. "There is scant evidence of true cyber-terrorism, which I would define as using networks and computers to cause physical harm, kill people, and cause a loss of confidence in institutions such as banks," maintained Victor Wheatman, managing vice president at Gartner.

"Terrorists know that bombing and blowing up buildings and killing people is more effective than even shutting down the internet would be, if one could actually do that for more than a few hours.

"The internet was designed to survive nuclear attack. If your home banking system or amazon.com went down it might be an inconvenience, but I'm not going to be quaking in my boots in fear."

Along with the hype has come the message that organisations need to make special efforts to defend themselves.

Malcolm Hutty, regulation officer at the London Internet Exchange (Linx), advises businesses to remain vigilant and third parties to be more proactive. "There are things that the major ISPs and networks can do," he said.

"If people are concerned about cyber-terrorism there is something they can do about it: make sure they're not part of the problem.

"Make sure machines are updated with patches and antivirus software and follow best practice security."

Forrester's Hunt believes that best practice activities will suffice. "Companies can prepare without doing anything special. Do security responsibly and effectively, and you will be protected," he said.

At worst, cyber-terrorism would be inconvenient, according to the experts. In fact, Gartner's Wheatman believes that too much hype could be dangerous.

"I would argue that those who hype cyber-terrorism do more to create fear and a loss of confidence than any actual cyber-terrorist has to date," he said.

"Yes, there is 'hactivism', and worms and viruses are being pushed out by some with a political agenda, but I would not associate the word 'terror' with these activities, vexing as they may be."