Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Rick Forno: Shredding the Paper Tiger of Cyberterrorism



Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Mal wieder eine sehr schöne Polemik von Rick Forno von
www.infowarrior.org.
RB

http://online.securityfocus.com/columnists/111

Shredding the Paper Tiger of Cyberterrorism

Political posturing about cyberterrorism is a red herring that takes
attention away from the real issues of information security.

By Richard Forno Sep 25, 2002 


Over the past several months we've seen a rise in the amount of media
coverage devoted to the concept of cyberterrorism - yet, despite the
hype and hysteria, nobody can describe exactly what constitutes an act
of cyberterrorism even though, according to a recent TechWeb article,
college campuses in America are breeding grounds for such people. 

Part of the problem is that cyberterrorism has become a catch-all phrase
for any sort of illicit on-line activity; and its use (or misuse) by the
media, vendors, and government officials further muddies the waters. For
example, a Google search for the term "cyberterrorism" yields all sorts
of cases in which it is used to describe viruses, Trojans, and hacking.
Security concerns to be sure, but terrorism? Doubtful. 

While there is much fear, uncertainty and doubt associated with the
term, I posit that cyber-terrorism is really nothing more than a paper
tiger. 

Defining the Problem 

Part of the problem with cyberterrorism is that it has not been clearly
defined. In March 2002, FBI Assistant Director JT Caruso told a
Congressional hearing that the agency defines cyberterrorism as "the use
of cybertools to shut down critical national infrastructures for the
purpose of coercing or intimidating a government or civilian
population." 

That's fine, but this definition represents conventional thinking and
misses the essential point of terrorism. Terrorism, according to the
United States Defense Department, is "the calculated use of violence or
the threat of violence to inculcate fear; intended to coerce or to
intimidate governments or societies in the pursuit of goals that are
generally political, religious, or ideological." It is thus both
destructive and political, motivated as they appear to have been by
anger toward America's foreign policy over the years.  Bin Laden is not
going to proclaim a victory over the Great Satan simply because his geek
corps manages to crash the NASDAQ system.  While the physical toll of
the attacks was huge, perhaps more damaging was the wound that the
attackers inflicted on the American psyche, a wound from which the
nation has not yet recovered. The attacks induced fear and terror, which
is one of terrorism's primary objectives. They had an effect that a
cyber-attack could never approximate. 

Yet, we continue to hear about the gloom and doom associated with
cyber-attacks. Michael Erbschloe, President of Computer Economics, wrote
in his 2000 book Information Warfare that "in a few years, the preferred
choice of terrorists is not going to be blowing themselves up in a car
bomb?What we see (with cyber-terrorism) is that it's becoming more
organized as time goes by, and it's becoming more destructive as well." 

Politicos continue to harp on about how cyberterrorism is a clear and
present danger to the world. Even Congress buys into this Chicken Little
speculation that fuels the national 'cyberterror' hysteria. Rep. Lamar
Smith (R-TX) recently said that "a mouse can be just as dangerous as a
bullet or bomb" and Senator Charles Shumer (D-NY) repeatedly prophesizes
that "terrorists could gain access to the digital controls for the
nation's utilities, power grids, air traffic control systems and nuclear
power plants." 

Scrutinize statements by White House Cybersecurity Czar Richard Clarke
(and others) that "Electronic Pearl Harbors" are a frequent occurrence
and then try to find one cyber-terror incident that has been remotely
catastrophic. You can't (we'll assume for the sake of this discussion
that a DoS against Amazon.com and Ebay cannot be considered a calamitous
event). But constant invocation of the term helps stoke the fire of
Homeland Security projects (and budgets). And it shows no sign of
relenting. 

The Real Danger 

Let's play devil's advocate for a moment and see what the real
consequences of a cyber-terror attack would be. Could someone shut down
part of a power grid or water system via a remote dial-up connection?
Perhaps, but the same could be accomplished if someone managed to gain
physical access to such facilities to throw a few switches and turn a
few knobs. Besides, we've proven during countless natural weather
disasters that we can live without electricity for short periods of
time. Should critical networks be compromised, we can still pay for
groceries with cash. 

Even if any of these scenarios were realized, life might be a bit
inconvenient or slower than normal at times, but we will still be alive,
and buildings won't have toppled. Life will continue to go on, and soon
return to normal, likely more quickly than if recovering from a physical
type of terror attack. A potential compromise of the air traffic control
system doesn't necessarily mean that planes will start falling from the
sky: airplanes have arcane backup systems known as "pilots" and
"co-pilots" who can fly and land them safely. 

Bin Laden, Hussein, or any other terrorist is not going to snicker and
proclaim a victory over the Great Satan simply because his geek corps
manages to crash the NASDAQ trading system. Darkened computer screens
don't scare people; but, as we've seen, images of smoking craters and
lower Manhattan covered with dust clouds and debris do. Would you
remember exactly where you were and what you were doing if a
cyberterrorist temporarily disrupted the NASDAQ Web site? Probably not.
Will you remember where you were when the second hijacked 767 rammed
into the World Trade Center? Most certainly. 

Defacing a Web site, releasing a virus, or shutting down Amazon.Com for
a day is not terrorism. As one government IT security consultant told me
recently, "a DDOS attack can ruin your day, but a pound of C4 explosive
in your NOC can do much more long-lasting damage." 

People are afraid of cyber-attacks and cyberterrorism because they don't
understand them. Like voodoo, cyber-attacks are a mysterious and
invisible concept, and therefore must be more dangerous than something
tangible like dynamite or aviation fuel if used by an adversary. After
all, how many people really understand how their computers work? It's
human nature to be afraid of what we don't understand. In the case of
our elderly Congress, I'd wager they're plenty afraid. 

Rational Solutions, Not Hysteria 

Much of what constitutes the "cyberterror threat" comes down to the poor
management of systems critical to the security and viability of the
United States. In other words, traditional computer security
vulnerabilities, not legions of phantom 'cyber-terrorists.' Networked
computer systems have the potential to be remotely compromised by
unauthorized persons for any number of malicious purposes. Remedying
these security problems is a function of information security
professionals, not 'counter-cyberterror' experts. 

Of course, such a response requires a rational understanding of the real
threats. It requires that systems administrators and their executive
management be given the resources to properly ensure the security of
their systems. It requires that end users are educated about the
information security threats and how to protect against them. 

It does not require political appointees wringing their hands
proclaiming "The sky is falling!" and demanding more money and more
power. Nor does it require focusing on vague, shadowy threats instead of
addressing the pressing needs and realities of information security
today. 


Richard Forno is the coauthor of Incident Response (O'Reilly) and The
Art of Information Warfare (Universal). He helped to establish the first
incident response team for the U.S. House of Representatives, and is the
former Chief Security Officer at Network Solutions. Richard is currently
writing and consulting in the Washington, DC area.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.