MI5 seeks powers to trawl records in new terror hunt

with the power to plunge developed nations temporarily into the stone age, disabling everything from payroll systems that ensure millions of employees get paid to the sewage treatment processes that make our water safe to drink or the air traffic control systems keeping planes stacked safely above Heathrow. It is one of the few weapons which is most effective against more sophisticated western societies, precisely because of their reliance on computers. “As we become more advanced, we become more vulnerable,” says Alex Neill, head of the Asia Security programme at the defence think-tank RUSI, who is an expert on cyber-attack. The nightmare scenario now emerging is its use by terrorists as a so-called force multiplier — combining a cyber-attack to paralyse the emergency services with a simultaneous atrocity such as the London Tube bombings. Victims would literally have nowhere to turn for help, raising the death toll and sowing immeasurable panic. “Instead of using three or four aircraft as in 9/11, you could do one major event and then screw up the communications network behind the emergency services, or attack the Underground control network so you have one bomb but you lock up the whole network,” says Davis. “You take the ramifications of the attack further. The other thing to bear in mind is that we are ultimately vulnerable because London is a financial center.”

In other words, cyber-warfare does not have to kill to bring a state to its knees: hackers could, for example, wipe electronic records detailing our bank accounts, turning millionaires into apparent paupers overnight. So how easy would it be? Estonia suffered a relatively crude form of attack known as denial of service, while paralyzing a secure British server would be likely to require more sophisticated “spy” software which embeds itself quietly in a computer network and scans for secret passwords or useful information — activating itself later to wreak havoc. Neill said that would require specialist knowledge to target the weakest link in any system: its human user. “You will get an email, say, that looks like it’s from a trusted colleague, but in fact that email has been cloned. There will be an attachment that looks relevant to your work: it’s an interesting document, but embedded in it invisibly is ‘malware’ rogue software which implants itself in the operating systems. From that point, the computer is compromised and can be used as a platform to exploit other networks.” Only governments and highly sophisticated criminal organizations have such a capability now, he argues, but there are strong signs that al-Qaeda is acquiring it: “It is a hallmark of al-Qaeda anyway that they do simultaneous bombings to try to herd victims into another area of attack.”

The West, of course, may not simply be the victim of cyber-wars: the United States is widely believed to be developing an attack capability, with suspicions that Baghdad’s infrastructure was electronically disrupted during the 2003 invasion. So given its ability to cause as much damage as a traditional bomb, should cyber-attack be treated as an act of war? What rights under international law does a country have to respond, with military force if necessary? Next month NATO will tackle such questions in a strategy detailing how it would handle a cyber-attack on an alliance member. Suleyman Anil, NATO’s leading expert on cyber-attack, hinted at its contents when he told an e-security conference in London last week that cyber-attacks should be taken as seriously as a missile strike - and warned that a determined attack on western infrastructure would be “practically impossible to stop.”

Tensions are likely to increase in a globalized economy, where no country can afford to shut its borders to foreign labor — an issue graphically highlighted for Gordon Brown weeks into his premiership by the alleged terrorist attack on Glasgow airport, when it emerged that the suspects included overseas doctors who entered Britain to work in the NHS. A review led by Homeland Security minister Admiral Sir Alan West into issues raised by the Glasgow attack has been grappling with one key question: could more be done to identify rogue elements who are apparently well integrated with their local communities? Which is where, some within the intelligence community insist, access to personal data already held by public bodies - from the Oyster register to public sector employment records - could come in. The debate is not over yet.