[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Rick Forno: "Hacker" oder "Terroristen"?
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
http://www.securityfocus.com/columnists/38
You Say "Hacker", the Feds Say "Terrorist"
By lumping hackers in with cyber-terrorists, the government is
demonstrating a fundamental inability to understand either group.
By Richard Forno
Nov 20 2001 11:00PM PT
Cyber-terrorism. To some, this term connotes the teenager in black,
munching on Doritos and downing Red Bull while three Linux-based
computers whirr away in an endless dance of virus-creation, password
cracking, and network mischief. For others, this term may represent
stunning computer antics such as those of John Travolta?s character in
the Hollywood bust movie ?Swordfish.? It seems that the public,
government, and media deem anyone causing mischief on a computer system
- be they a website defacer or international spy - to be a
cyber-terrorist. This in turn leads to misinformation and confusion
about what a ?cyber-terrorist? really is. We see this in media reports,
government speeches, and ominous warnings about an ?electronic Pearl
Harbor? being around the corner.
A recent article by Helen Atkinson in the Journal of Commerce begins
with comments about ?a virus sent by a 15-year-old boy? that shut down
the Web sites of CNN, Amazon, E-bay, and other major sites last year,
and wonders about the impact of a ?more coordinated attack? against our
computer systems by ?cyber-terrorists.? Atkinson?s article is an example
of the kind of ill-informed fear-mongering that surrounds discussions of
cyber-terrorism.
As most readers of this column already know, the events of February 2000
were not caused by a ?virus? but a by denial of service tool. Mafiaboy,
the fifteen-year-old charged with this attack, was by no stretch of the
imagination a ?cyber-terrorist?. Rather, he was an electronic prankster
and common criminal looking for bragging rights on IRC. He was certainly
not a national security threat, and his incarceration would not make
America or the world one bit safer. Unfortunately, incidents like this
are given hyped-up media coverage that attempts to justify heavy-handed
government reactions, such as the recently signed anti-terrorism bill.
The problem is exacerbated by the fact that there is not a singular
definition of a ?cyber-terrorist.? A new crime of "cyber-terrorism? was
established in Section 814 of the recent anti-terrorism bill. According
to the bill, cyber-terrorism is defined in general terms with a few
specific criteria, including that hacking attempts causing damage
"aggregating at least $5,000 in value" in one year, any damage to
medical equipment or "physical injury to any person." Prison terms for
such actions range between five and 20 years.
The nebulous language of section 814 does not clearly differentiate
between a computer crime or an electronic prank and an intentional act
of terror. Under this legislation, Mafiaboy or Kevin Mitnick would be
considered a cyber-terrorist, even though they were not acting against
critical national infrastructures (unless, of course, you consider E-bay
a national infrastructure!) This is like equating a water-balloon attack
with a political assassination.
According to the FBI, terrorism ?is the unlawful use of force or
violence against persons or property to intimidate or coerce a
government, the civilian population, or any segment thereof, in
furtherance of political or social objectives.? By extension, I would
posit that cyber-terrorism ?is a premeditated, politically motivated
attack against information resources that is intended to create civil
fear or unrest in order to gain a political or tactical advantage.?
Nowhere in my definition did I mention ?hacker? or ?electronic?
(although that?s certainly part of how one should interpret my proposed
definition.) Should the current legislation then be interpreted to mean
that using a computer to compromise or deface a Web site could be
construed as a ?cyber-terrorism?? Does it mean that a person using a
truck bomb to destroy an unmanned telephone facility to shut down
regional connectivity would not? The current emphasis seems to be on
just that approach. This was implied in Tom Ridge?s remarks on critical
infrastructure security when he decreed that if you ?disrupt, destroy,
or shut down information networks, you shut down America?.it is a
technical challenge, because we must always remain one step ahead of the
hackers.?
As a security professional, I believe our leaders spend too much airtime
discussing hackers, crackers, and defacers, and overlook other, more
damaging and, some might say, more probable, threats to information
security. Contrary to popular misconception, one does not need a
keyboard and a mouse to become a cyber-terrorist. There are many
different threats that could and should be deemed ?cyber-terrorism?,
none of which include shutting down highly commercialized e-commerce
sites. Remember, my proposed definition means that such events must be
identified as contributing to an adversary?s advantage, and are not done
merely for ?kicks? or bragging rights. Some such events may include:
- Disrupting or degrading East Coast Internet connectivity by
intentionally detonating a railway car in a particular location on the
Eastern Seaboard.
- Disrupting or degrading electronic devices through the high-altitude
detonation of a nuclear device.
- Utilizing skilled insiders to place exploitable code and other devious
items (e.g., logic bombs) in mass-produced software and operating
systems, especially during technology emergencies like Y2K.
- Using specially modified software and advanced unconventional
thinking, planning, and knowledge to compromise and exploit critical
information systems to disrupt ? or more strikingly ? modify data in a
manner that may not be clearly evident or easily remedied, such as
medical records or pharmacological formulae.
All of these attacks conceivably meet the FBI criteria for terrorism.
None of them, however, require hacking. Nor do all hacking attempts, or
even a small portion thereof, constitute terrorism according to these
criteria.
The lesson here is that current cyber-terrorism assessments by the
government suffer from tunnel vision, as they are unjustifiably
TCP/IP-based. Such a singular interpretation of this threat only
complicates our national efforts to effectively assess, prevent, and
respond to potential attacks in this area. A more broad-based, holistic
approach to assessing the threats against our critical information
resources - one that takes an unconventional view of the matter and goes
beyond simple ?hacking? activities - would be beneficial.
The government has continually wrestled with ways to ensure public
concerns about Internet security. This is laudable. However, they are
currently exploiting the current social and political climate to
stigmatize hackers as terrorists, thereby solving a complex, nagging
problem in a simplistic, heavy-handed manner.
If we are going to incorporate the term ?terrorism? with
information-related criminal activity, we must keep in mind the
fundamental goals of terrorists as mentioned in the FBI definition
above. A teenager who shuts down a company?s website is not a terrorist.
Nor is the creator of the I-LOVE-YOU virus or Code Red worm.
Someone acting on behalf of a state or non-state organization intending
to cause fear or public panic by disrupting critical information systems
through electronic (or the more likely) physical attack is certainly a
cyber-terrorist, and should face the consequences of the law. So should
hackers who illegally disrupt the legitimate services of legitimate
enterprises; however, they should be treated for what they are,
nuisances, annoyances and criminals - not cyberterrorists.
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.