of a physical attack (e.g., by providing false information that drives people toward, rather than away from, the point of attack); diminution of timely responses to an attack (e.g., by interfering with communications systems of first responders); and heightened terror in the population through misinformation (e.g., by providing false information about the nature of a threat). The techniques to compromise key IT systems—for example, launching distributed denial-of-service (DDOS) attacks against Web sites and servers of key government agencies at the federal, state, and local levels; using DDOS attacks to disrupt agencies’ telephone services and the emergency-response 911 system; or sending e-mails containing false information with forged return addresses so that they appear to be from trusted sources—are fairly straightforward and widely known.
When an element of the IT infrastructure is directly targeted, the goal is to destroy a sufficient amount of IT-based capability to have a significant impact, and the longer that impact persists, the more successful it is from the terrorist’s point of view. For example, one might imagine attacks on the computers and data storage devices associated with important facilities. Irrecoverable loss of critical operating data and essential records on a large scale would likely result in catastrophic and irreversible damage to the U.S. economy. However, most major businesses already have disaster-recovery plans in place that include the backup of their data in a variety of distributed and well-protected locations (and in many cases, they augment backups of data with backup computing and communications facilities).1 While no law of physics prevents the simultaneous destruction of all data backups and backup facilities in all locations, such an attack would be highly complex and difficult to execute and is thus highly unlikely.
The infrastructure of the Internet is another possible terrorist target, and given the Internet’s public prominence, it may appeal to terrorists as an attractive target. The Internet could be seriously degraded for a relatively short period of time by a denial-of-service attack,2 but such impact