Terrorist Threats to Multi National Corporations
by
Mr. R. Swaminathan, IPS (Retd.), formerly Special Secretary, DG (Security), 
Govt. of India, India.

Multi National Corporations (MNCs) share with other big corporate entities all the usual threats from terrorists and others, to their security and safety. In addition, they also have to tackle specific types of threats that emanate because of their MNC character.

Strengths are Vulnerabilities

Some of the very factors that contribute to the successful functioning of MNCs tend to become their vulnerabilities.
· MNCs are able to disperse their manufacturing facilities in different countries, based on availability of raw materials, inexpensive real estate / power / labour etc.; and, in some cases, amenability of "friendly" governments to overlook deviations from pollution control norms. Where the governments are so "amenable", they are also likely to be weak and unprepared to provide the required support against terrorist threats. 

· MNCs try to reduce the per-unit cost of capital-intensive products by building larger production facilities. Placing expensive equipment and highly skilled people in a single location provides for easier access, more efficiency and synergies that lead to the creation of wealth. This concentration of high-value assets in relatively compact locations, in order to achieve economies of scale, creates extraordinarily attractive targets for terrorists, who can cause a huge amount of damage in a single strike. 

· Many MNCs include a multitude of economic and technological systems (that are like networks) for their efficient functioning. The more developed and complex the interconnected networks become, the more they have features that make their behaviour non-linear; i.e. a small shock to a critical node produces a disproportionately large disruption.

· MNCs, because of their enviable economic success and "foreign" origin, become easy targets against whom angry mob feelings could be aroused (particularly in places where the differential in the living standards is high) and where the people could easily be misled by disinformation about pollution risks. Efforts by governments, in collaboration with MNCs, to enhance national or regional economic development may become the object of attack by those opposed to modernisation. 

Trends in Terrorist Activities

Terrorists are likely to make increasing use of non-weapon technologies for destructive ends. Technological advances in communications and information technology (IT) help them to give another meaning to the acronym WMD - Weapons of Mass Disruption, not necessarily of Mass Destruction. Terrorist organisations can share information on weapons and recruiting tactics, arrange surreptitious fund transfers across borders and plan attacks through the Internet. The Web also provides access to critical information posted by MNCs in their websites. Manufacturing and storage facilities of many MNCs are filled with devices packed with energy, combustibles, and poisons; giving terrorists ample opportunities to exploit them for destructive ends. 

It can be anticipated that apart from existing issue-oriented "fringe element" extremist movements such as radical environmentalism, pro-life movement and animal rights groups that pose threats to the functioning of many MNCs, there will emerge new groups ready to use terrorism to avenge real and imaginary grievances. Such grievances need not necessarily be against the MNCs themselves, but may be against the host government and the prevailing disparate economic order. These groups may at the outset be small and not tied to any recognised social or political movement. They could, however, become capable of maximising their impact through the skilful use of up-to-date media and communications.

It is also likely that new brands of terrorists may emerge. One possible profile for the terrorist of the future may well be a private individual not affiliated with any established group, but drawing on other similarly minded individuals for support.

Complex Terrorism

Successful MNCs generate unprecedented prosperity through technological and economic innovations. Most of them have a multitude of systems that function like complex inter-connected networks. The more developed amongst them are likely to have feedback loops that produce vicious cycles, e.g. a stock market crash, in which selling drives down prices and that induces more selling. Networks can also be tightly coupled (where the links among the nodes are short) making it easy for problems in one node to spread quickly to others. For instance, when drivers tailgate at high speeds on freeways, they create a tightly coupled system. A mistake by one driver, or a sudden shock coming from outside the system (such as a deer crossing the road), can cause a chain reaction of cars piling onto each other. The external introduction of a shock to an extremely vulnerable node may result in crippling and unanticipated attacks. Prof. Thomas Homer-Dixon (Director of the Centre for the Study of Peace and Conflict at the University of Toronto) has labelled this new and sinister threat to modern and complex high-tech societies and corporate entities as "complex terrorism".

No one can possibly imagine or anticipate all the novel opportunities for terrorism provided by critical technological and economic systems that are so complex that they are replete with vulnerabilities; and one may not even know the right questions to ask. Complex terrorism is particularly effective when its goal is not a specific strategic or political end, but simply the creation of widespread fear, panic and economic disruption. A more general objective vests the terrorists with a wider choice of targets.

The extent of damage from a complex terrorist attack would depend upon the network's level of redundancy - that is, on the degree to which the damaged node's functions can be offloaded to undamaged nodes. On 9/11, for instance, there was large-scale physical damage to the area's infrastructure; but there were no catastrophic failures in the financial, economic or communications networks. The World Trade Centre, as it turned out, had not been as a critical and non-redundant node as most people would have thought. As a measure of preparedness for disaster recovery, many firms had set up alternate facilities for data and computer equipment in remote locations. For example, though the NASDAQ headquarters was demolished, its data centres in Connecticut and Maryland could have restarted trading only a few hours after the attack. There is a serendipitous lesson in this for all MNCs. Major players who can afford to set up their own independent (preferably satellite-based) emergency backup networks should try to do so.

One should also recognise that the 9/11 attacks had a critical effect in another area - the psychological network. Raw emotion flowed from TV and radio stations to their audiences and from person to person through the telephone and the Internet. This resulted in mass generation of grief, anger, horror, disbelief, fear, and hatred. It was as if all had been wired into one immense, convulsing, and reverberating neural network that acted like a huge megaphone amplifying the emotional impact of the terrorist attacks. In closed circuits like those of the MNCs, a certain psychological preparedness needs to be developed, to cope with post-terrorist trauma.

Can MNCs do anything to lessen the risk of complex terrorism? Yes. First, they must take steps to reduce the vulnerabilities related to their complex technologies. They can do so by loosening the couplings in their networks, building buffers into these networks, introducing "circuit breakers" that interrupt dangerous feedback, and dispersing high-value assets so that they are less concentrated and thus become less inviting targets. 

This will mean different things for different networks. In the energy sector, loosening the coupling might mean greater use of local energy production and alternative energy sources (like solar power) that would reduce the dependence on the local electricity grid. Similarly, in production, loosening the coupling might entail increased autonomy to local and regional production centres, so that when one network is attacked the damage does not cascade into others. In many industries, increased buffering would involve moving away from just-in-time production processes. Inventories of feedstock and parts would have to be increased so that production can continue even when the supply of these essential inputs is interrupted. Clearly this policy would reduce economic efficiency, but the extra security of more stable and resilient production networks could far outweigh this cost. Increasing insurance costs may also encourage the dispersal of high-value assets. Again, dispersal may entail substantial economic costs, because economies of scale and opportunities for synergy would be reduced. It has to be recognised that we face new circumstances. Past policies seem to have become inadequate. 

Security planning should pinpoint and protect the critical complex networks for producing and distributing energy, information, water, and food. Disruption of these would be most susceptible to the multiplier effect of technology-amplified emotional response. Systems handling energy and hazardous materials are easy targets for turning supposedly benign technology to destructive ends. Though attacks on them may be technically difficult, it is essential that they are made "hardened" targets to the extent possible. Educating the local populations about the actual risks, safety measures in place and crisis management procedures can reduce misinformed apprehensions and panic. Involvement in local social development activities could help in keeping them more friendly and tolerant.

Security at chemical plants is often lax. An April 1999 study of such facilities in Nevada and West Virginia by the U.S. Agency for Toxic Substances and Disease Registry concluded that security ranged from "fair to very poor" and that oversights were linked to "complacency and lack of awareness of the threat". Awareness of the risk, combined with adequate security and preparedness for emergency recovery, would be a major factor in reducing collective emotional collapse. 

Digital Terrorism

Analysts warn that terrorist acts will now include more sophisticated forms of destruction and extortion such as disabling or penetrating vital commercial computer systems. An adequate discussion of digital terrorism is beyond the scope of this paper (and probably of this seminar too). We may, however, consider some of the significant aspects.

Tom Kellermann, a senior data risk management specialist at The World Bank in Washington, presented the findings of a study on the electronic security risks facing the global financial community during an online seminar sponsored by Cable & Wireless Internet Services Inc. on 29 October 2002. He reported that the number of organised hacking syndicates targeting financial institutions around the world is growing at a disturbingly fast rate. And so is the number of banks willing to pay these high-tech extortionists hush money to protect their reputations. The study details the growing security challenges facing the financial sector as a result of the industry's increasing dependence on the public telecommunications system, rapid adoption of wireless systems and outsourcing of operations to third parties.

Banks and other financial companies are increasingly outsourcing many of their operations. This could lead to disastrous consequences for hundreds of banks at once if the hosting company does not implement proper security precautions. Kellermann cited an incident of penetration of systems run by an Atlanta-based provider that led to the compromise of more than 300 banks, credit unions, insurance providers and investment firms. The linking of Internet technologies to sensitive back-office systems such as customer databases and real-time stock data, has made online extortion a major "safety and soundness issue" for the financial markets. 

The use of Virtual Private Network (VPN) technology to connect thousands of remote offices and workers to their corporate networks is increasing in popularity. While recent security alerts have resulted in the critical examination of the software used, it is more likely that changed policies and not software patches that are required. There are VPNs in which a totally untrustworthy (host) network is connected to an otherwise well-managed corporate network. VPN hosts should not be treated as a part of the internal company network. When employees access the VPN through the corporate gateway, they should first be made to pass through the firewall and content filtering. 

One of the most significant vulnerable areas in the Internet is the system of computers - called "routers" and "root servers" - that directs traffic around the Net. An error in one router, or its malicious reprogramming, can lead to errors throughout the Internet. This vulnerability was exploited during a major attack on 21 October 2002, but the built-in redundancies enabled the Internet to continue functioning with only minor hiccups.

It is a complex technical (and politico-economic) task for nations and commercial enterprises to protect their information assets and ensure that critical operations continue even if attacked. The growth of world markets and an increase in trans-national mergers only serve to compound this complexity. Brookings Institution, the Washington-based public policy think tank, released on 17 October 2002 its study on "Interdependent Security". It argues that the shared-risk nature of today's security environment tends to discourage companies from making the costly investments in security. When industry-leading companies fail to invest in certain security precautions - because of cost or other reasons - that knowledge can help "clinch a decision not to proceed" at other firms. "In these circumstances, an entire industry may be unwilling to take reasonable precautions against catastrophe." Many companies may see little incentive to bear the costs of protecting against an event that is "highly unlikely" to target them individually. Most corporate executives still view the security budget as an expense with no tangible return on investment, but this mind-set has to change. Therefore, "a combination of regulations, insurance and third-party inspections offers the most auspicious approach to improving security at reasonable economic cost."

According to some expert observers, the excessive reliance of the recently released draft U.S. National Strategy to Secure Cyberspace on market forces to drive security investments in the private sector is its Achilles' heel. Some other experts feel that market forces do not apply only to the development of secure software and hardware but also to the need for individual organisations to secure their environment. Hence the need to work out a "middle ground" between government regulation and industry self-regulation.

The hyperbole about the damage that can be inflicted by an Internet attack frequently overshadows common sense. Most apocalyptic forecasts of the results of digital terrorism or cyber-attacks are highly exaggerated. Such attacks can come in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, web site vandalism and the occasional major denial-of-service assault. Attacks on control systems attempt to disable or take control over operations used to maintain physical infrastructure and manufacturing processes. While remote access to many control systems were previously possible only through direct dialling in with a modem, these operations are increasingly using the Internet or are connected to a company's local network - a system protected with firewalls that often could be penetrated. Many security officials, however, say that any damage resulting from electronic intrusion would be measured in loss of data but not life.

Although it is possible for electronic intrusions to damage infrastructure, taking control of well protected systems from the outside is extremely difficult, requires a great deal of specialised knowledge and must overcome non-computerised fail-safe measures. As a result, government and corporate security experts feel that while it would be relatively easy to carry out a cost-free or risk-free attack given the endemic vulnerabilities in the system, it would be harder to kill people or have a lasting effect using cyber-attacks.

Digital intrusions can, of course, compromise intellectual property and sensitive research data that can lead to long-term economic loss. They can also place customer data at risk and erode confidence and trust in an enterprise and its affiliates. Digital security is a moving and dynamic target. There is no one-size-fits-all solution that can make an enterprise cent percent secure. Cyber-security within an enterprise is not merely a technical problem, it is a management challenge. The scope of the risks is such that it can be effectively managed only by engaging senior leadership and by involving the corporate board of directors. Preparedness plans should ensure that digital security is factored into the overall operations of the enterprise.

Precautions

· Integrate, from the bottom up, cyber and physical security policies and strategies with due regard to organisational structure and operational considerations. MNCs should consider setting up enterprise-wide Corporate Security Council to protect the full range of critical infrastructures. It is essential that key decision-makers and technical officials be brought together. In a crisis, they can advise the CEO and coordinate the execution of contingency and continuity plans.
· Identify and harden critical infrastructure nodes and links, cyber and physical, and thus enhance the ability to respond to terrorist attacks. Conduct periodical vulnerability assessments of critical infrastructures and infrastructure interdependencies, to identify and mitigate vulnerabilities. 

· Corporate boards should consider forming board committees on IT security and should ensure that the CEO regularly reviews the recommendations of the Chief Information Security Officer. The CEOs, in turn, should consider regular independent IT security audits, remedial programs and reviews of best practices implementation.
· Build redundancy by setting up alternate facilities for data and computer equipment in remote locations. Independent (preferably satellite-based) emergency backup networks would be very useful for Disaster Recovery.
· All employees should be trained on the need for physical and IT security. Foster a culture of safety and security.

*************