There is little doubt that the U.S. war on terrorism will continue into the foreseeable future and beyond. Most experts also agree that more attacks against the U.S. are likely to occur. The question is not if terrorists will strike again, but when, where, and how will they strike. In my conversations with law enforcement officials at both the state and federal level, most agree that the next target is most likely to be at the nation’s vital infrastructure. The FBI, although they possess no specific threat information, has received uncorroborated reports indicating that terrorists may be using U.S. municipal and state Web sites to obtain information regarding local energy infrastructures, water reservoirs, dams, highly-enriched uranium storage sites, and nuclear and gas facilities. The specter of an unanticipated and massive attack on critical infrastructures that disables core functions such as electrical power systems, water supply systems, telecommunications, gas and oil, banking and finance, transportation, government services, and emergency services, has been raised in a number of reports on national security. Many experts consider the odds of a massive, well-coordinated cyber attack upon the vital infrastructure of the United States (Digital version of Pearl Harbor) at about 50-50. For this reason information systems associated with these critical infrastructures must be considered a likely target for terrorists. In 1998, Barry Collin, a computer whiz many credit with inventing the term cyber terrorism, said; “Five or ten years from now, we’ll look back and say the terrorists of the `80s and `90s were really primitive because all they used were bombs and guns to kill people. Blowing up people does not cause a government to change policy. If you can affect tens of thousands of people, you have widespread, actual panic.” Taking down power grids, water systems, and gas pipelines need not involve blowing up power lines, poisoning water, or cutting pipelines. Thanks to the miracles of modern technology, it is now possible to use computers to wreak havoc on the vital infrastructure from half way around the world. When he testified before Congress last year, the Director of the Central Intelligence Agency, called computer-generated terrorism “the ultimate precision-guided weapon” and said the ability to carry out such attacks is already in the hands of a number of terrorist organizations, including Hezbollah. It is unclear whether the Al Qaeda organization or other terrorist groups have developed cyber warfare capabilities, or how extensive these capabilities may be. To date, few terrorist groups have used cyber attacks as a weapon. However, terrorists are known to be extensively using information technology and the Internet to formulate plans, raise funds, spread propaganda, and communicate. Furthermore, cyber attacks against infrastructures have been the subject of speculation for several years. Vulnerabilities in the nation’s power distribution grid were first exposed during military exercises, following which, a Pentagon spokesperson stated, “We did learn that computer hackers could have a dramatic impact on the nation’s infrastructure, including the electrical power grid.” This vulnerability was exploited for real in June 2001, when computer hackers, routed through networks operated by China Telecom, penetrated the defenses of a practice network of the California Independent Systems Operator (Cal-ISO) for 17 days. So, where does your credit union fit into the picture? If your credit union is affiliated with a military installation or government agency, there is a possibility that your computer networks may become the target of a direct attack. Recent history has provided numerous examples of attempted and successful Web site defacements and network penetration of many of those credit union sites by computer crackers responding to events in Asia and the Middle East. Those credit unions are still at risk and should be deploying defensive measures that would be extraordinary for most other credit unions. Additionally, every credit union should be asking, “How will we respond, and how will we maintain business continuity in the event that terrorists succeed in their efforts to collapse our vital infrastructure for a period of five, 10, or even 15 days?” Nearly every credit union has experienced a closing due to snow or ice storms, hurricanes, floods, tornados, earthquakes, and other natural disasters. Vital services are restored within a few hours to a few days, and credit unions reopen without suffering much more than slight inconvenience. But what if your community, along with the rest of the nation, is without power, water, telecommunications, and other vital services for several days? Will you be able to quickly restore operations, provide your members with basic financial services, and protect your credit union until you can resume normal operations? If you plan and prepare now, you can rise to the challenge and your members will benefit as your credit union is among the first to recover. It’s time to review your Disaster Recovery Program. If you haven’t updated or tested the plan during the past 12 months, this is the time to do so. In addition to the traditional components of the program, flood, fire, earthquake, etc., you should have a plan for response to terrorist activity and business continuity without the benefit of public utilities. Develop a notification plan to activate your response teams in the event that telephone service, including cellular, is interrupted. If you have a backup generator, ensure that it is in good working order. If you don’t have a generator, pre-arrange a lease with firm commitments from a local rental company; and pre-arrange cash pick-up with your armored car service to sweep ATMs that may be without communications, alarms, or power. Arrange for guard services to have personnel with two-way radio communications capabilities at branch locations, and other vital facilities. Test your ability to operate off-line for several days if necessary. Contact other credit unions in your area and establish plans to share resources and facilities. Contact your state and local government emergency preparedness agencies and ascertain what plans these agencies may already have and what you can do to obtain and provide assistance during and immediately following a major incident. Finally, always remember the cardinal rule of disaster recovery planning: Plan for the worst and hope for the best.