It seems likely that there may be efforts by terrorists and others who serve them, to conduct probes or experiments along lines that might lead to attacks under categories 2 and 3.

As far as we can tell, terrorists have not been responsible for any of the major attacks or accidents that have occurred in recent years under categories 2 or 3. So much has been written about such possibilities–and they have had some prominence in the media–that it is inconceivable that terrorists are not aware of them. So far, for reasons we can only speculate about, they do not seem to have chosen to pursue these possibilities with vigor and effect, or perhaps they have tried and failed.

It would seem prudent to expect that such attacks will be launched sooner or later. Therefore we should ask ourselves the following: How do we try to deal with terrorists in cyberspace? We start to answer this question by distinguishing between two forms of defense: passive and active defense.²³

Passive defense is essentially target hardening. It largely consists of the use of various technologies and products (for example, firewalls, cryptography, intrusion detection) and procedures (for example, those governing outside dial-in or reconstitution and recovery) to protect the information technology (IT) assets owned or operated by an individual or organization. Some forms of passive defense may be dynamic, such as stopping an attack in progress, but by definition, passive defense does not impose serious risk or penalty on the attacker.

Active defense by definition imposes serious risk or penalty on the attacker. Risk or penalty may include identification and exposure, investigation and prosecution, or preemptive or counter attacks.

With only passive measures, the attackers are free to continue the assault until they either succeed or get frustrated and look elsewhere. Given the vulnerabilities of most cybersystems, the low cost of most attacks, and the ability of attackers to strike from positions of physical safety, a skilled and determined attacker may be more likely to succeed than to become frustrated.

Some defensive actions, for example stopping an attack in progress, can be pursued using both passive and active means. Passively, the defender might plug a vulnerability hole in real time. Actively, the defender might try to locate and get back to the source of the attack.

For several legal and other reasons, most forms of active defense will necessarily fall to governments.²⁴ The effective pursuit of active forms of defense, with a high probability of correct identification and few false positives, is very challenging technologically.