Picture the Earth being struck by a massive body hurtling out of space, resulting in a tremendous explosion that would equal the force of millions of tons of TNT.
Think of the immediate damage that would occur from the force of such a blast and the unthinkable heat extending literally hundreds of miles around the impact point. But the impact would also have thrown up tons of debris into the atmosphere. The entire Earth would be enveloped in a thick, dark, dusty cloud that would block any sunlight from touching down anywhere.
Think of the fear, panic and chaos that would ensue as temperatures began dropping precipitously, perhaps hurling humanity, at least temporarily, into a new ice age.
Consider how such a nightmare scenario would affect us all if the cloud persisted for weeks, months–even years.
Some scientists believe this is actually part of what happened to our planet far back in its history. Science buffs will recall that one theory of how the dinosaurs became extinct is that a huge asteroid hit the Earth, creating a global cloud that blocked sunlight, causing tremendous climatic changes that eventually killed the huge creatures off.
Today, there are some who believe that a terrorist strike at our interconnected computer systems could have the same kind of cataclysmic effect on the worldwide economy.
While news media are focusing on the prospect of a biological attack in the wake of the events of Sept. 11, our computer systems remain vulnerable to a cyber-attack that could literally bring business activity to a grinding halt–not only in the U.S., but worldwide.
According to Clint Harris, vice president at Conning & Company, a research organization based in Hartford, Conn., there is “tremendous concern in terms of loss if there are viruses that could bring down the entire Internet. That is a potential.”
Harris compares the impact on financial services of the Internet going down to that of “an asteroid striking the Earth.”
Lets stop and consider that kind of impact for a moment. Financial services, as well as most other industries, has come to rely heavily on the Internet for transactions, marketing, day-to-day operations and even distribution (although the insurance sector neednt worry about the latter).
Were the entire Internet to fail, literally millions of transactions might be lost, or at best take weeks to recover and be recorded on paper. On the insurance side, communications among brokers and carriers and customers would be seriously compromised. Certainly all business activities that use e-mail would immediately cease.
And, if such an attack were to also affect telephone communications, how would any financial commerce take place?
Unquestionably, such a huge blow to our communications infrastructure would severely damage an already reeling economy. Insurance claims from failed businesses just might exceed the ability of companies to pay them.
The results would be chaoticjust the sort of thing that would make a terrorist smile.
Harris is the author of a study entitled “Cyber-Security for Insurers: The Virtual Fortress?” Among other things, that studythe release of which preceded the attacksconcludes that the industrys “somewhat laggard entry” into online distribution of policies and services “may now be exposing their customers, business partners and themselves to massive losses caused by breaches in security.”
Why is insurance particularly vulnerable? First, says Harris, insurers have tremendous assets, which makes them a target. “Insurance is also a target because of its reliance on interconnectivity with other enterprises and businesses, including agents and branch offices,” he adds.
Then there is the fact that most insurers still utilize multiple computer systems, including legacy systems, says Harris. “Multiple systems complicate the systems environment, and the greater the complication, the greater the potential for vulnerability.”
The specific threats to insurance and other business systems include denial of service attacks and damaging code that can destroy critical files. With denial of service attacks, Web sites are deluged with bogus e-mails and requests to the point that they function very slowly or not at allthus, denying service to those who legitimately want to use them.
Even greater danger, however, may be posed by hackers who create malicious code that alters or destroys critical data, Harris notes.
“No matter what you do, you will never be totally secure,” says Harris. He adds that a coordinated cyber-attack on the U.S.and perhaps all of the free world”is certainly possible.”
Even a novice hacker who knows nothing about spreading viruses can go to certain Web sites and get the tools to build and deploy something malicious. But think about how much more dangerous such an attack would be if it were launched by experienced programmers hired by a terrorist group or rogue nation.
“That may be an event thats occurring,” Harris points out. He notes that during the recent downing of the U.S. reconnaissance plane in China there were reported cyber-attack efforts between the U.S. and China.
Those who wish to launch such attacks on a grander scale, says Harris, have the ability to “be remote” and to set up operations “almost anywhere in the world.”
That would seem like an ideal modus operandi for a terrorist group.
“Can [terrorists] accumulate the talent and do it? Weve already seen some evidence” that it is possible, Harris asserts. “The federal government obviously considers this a serious threat. Now there is greater urgency.”
What would be the dollar cost of a major concerted attack? “Who knows,” says Harris. “It could be a tremendous amount of money.”
Harris reports that in the Year 2000, there were security-related losses of $26.4 billion for all industries in the U.S. alone, and that didnt include “soft costs,” such as the need for additional marketing, or the theft of hardware.
The same figures for 2005 are projected to be $43.6 billion in the U.S., but Harris points out that those projections were made without considering the effects of a terrorist attack and the attendant fallout.
So, how can we in this industry protect ourselves against the possibility of going the way of the dinosaurs?
“It begins with the process of building security into all of your processes,” says Harris. “Security as a bolt-on is less likely to work and more expensive in the long run.”
Harris recommends companies appoint someone to head up the effort to develop and implement security policies. “That individual needs to be on a management level that reports directly to the CEO. This is very important,” he explains.
Once policies are in place, security procedures should be regularly reassessed, especially in terms of new vulnerabilities that may come to light, says Harris. This is probably best done by an outside firm that would be less biased and would provide a “broader view.”
I would add that each of us, as an individual user at home or at work, needs to do his or her part.
We can start by taking simple precautions, such as backing up our work and keeping the copied files in a different location than our computer.
If youre a broadband user, turn your computer off when youre not using it. Leaving your system on leaves you vulnerable to hacking, because broadband connections are “always on” while the PC is powered up.
Finally, get and use a good virus detection program. Be sure to update that program at least a few times a monthand every time you hear about a new virus thats going around.
Sure, all these precautions are an inconvenienceand some may be costlybut keeping the lines of business communication open is well worth the annoyance and cash outlay.
Lets face it, Osama bin Laden probably wont be upset if he cant access his online Buddy Chat for a few weeks. Having our business Internet links removed, however, could be a recipe for further disaster in financial services and in the world of business altogether.
As they used to tell us in the Boy Scouts: Be prepared.
Reproduced from National Underwriter Life & Health/Financial Services Edition, October 22, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.