ists were able to make a credible claim that the control software of a popular fly-by-wire airliner was corrupted and could be induced to cause crashes on demand, perhaps demonstrating it once, public confidence in the airline industry might well be undermined. A more extreme scenario might be that the airlines themselves might ground airplanes until they could be inspected and the software validated.

To the extent that critical industries or sectors rely on any element of the IT infrastructure, such disproportionate-impact disaster scenarios are a possibility.

Possibility, Likelihood, and Impact

The scenarios above are necessarily speculative. But it is possible to make some judgments that relate to their likelihood:

  • Attacks that require insider access are harder to mount and thus less likely than attacks that do not. Insiders must be placed or recruited, and insiders are not necessarily entirely trustworthy from the standpoint of the attacker. Individuals with specialized expertise chosen to be placed as infiltrators may not survive the screening process, and because there are a limited number of such individuals, it can be difficult to insert an infiltrator into a target organization. In addition, compared to approaches not relying on insiders, insiders may leave behind more tracks that can call attention to their activities. This judgment depends, of course, on the presumed diligence on the part of employers to ensure that their key IT personnel are trustworthy, but it is worth remembering that the most devastating espionage episodes in recent U.S. history have involved insiders (Aldrich Ames and Robert Hanssen).

  • Attacks that require execution over long periods of time are harder to mount and thus less likely than attacks that do not. Planning often takes place over a long period of time, but the actual execution of a plan can be long as well as short. When a plan requires extended activity that if detected would be regarded as abnormal, it is more likely to be discovered and/or thwarted.

  • Terrorist attacks can be sustained over time as well as occur in individual instances. If the effects of an attack sustained over time (perhaps over months or years) are cumulative, and if the attack goes undetected, the cumulative effects could reach very dangerous proportions. Because such an attack proceeds a little bit at a time, the resources needed to carry it out may well be less than in more concentrated attacks, thus making it more feasible.

  • Plans that call for repeated attacks are less likely than plans that call for single attacks. For example, it is possible that repeated attacks on the Internet could render large parts of it inoperative for extended periods of time. Such an onslaught might be difficult to sustain, however, because it would be readily detected and efforts would be made to counter it. Instead, an adversary with the



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement