Bomb Threats: An Effective Denial-of-Service Attack

The University of Pittsburgh received over 80 bomb threats during a recent 30 day period. Each time, the university evacuates the threatened building, searches it top to bottom, including its 42 story main classroom building. Officials find nothing, and eventually classes resume.

 

Think of this as what IT security professionals call a denial-of-service attack…and it's troubling when you consider how effective it is.

 

Police have no leads. The threats started out as handwritten messages on bathroom walls, but are now being sent via e-mail and anonymous remailers. The University response has announced the following:

 

To enter secured buildings, we all will need to present a University of Pittsburgh ID card. It is important to understand that book bags, backpacks and packages will not be allowed. There will be single entrances to buildings so there will be
longer waiting times to get into the buildings. In addition, non-University of Pittsburgh residents will not be allowed in the residence halls.

 

From a security perspective, this may not help and it may even encourage this and other such attacks….but what else can the University do?

 

The incentives for university officials are such that they're stuck with what appears to be overreacting. If they ignore the threats and they're wrong, people will be fired. If they overreact to the threats and they're wrong, they'll be forgiven.

 

For the attacker, though, the cost-benefit payoff is enormous. E-mails are cheap, and the response they induce is very expensive.

 

This is a very dicey situation for any institutional management team.