Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Bruce Schneier: The Risks of Cyberterrorism,

CRYPTO-GRAM, June 15, 2003
by Bruce Schneier


The Risks of Cyberterrorism

The threat of cyberterrorism is causing much alarm these days.  We have 
been told to expect attacks since 9/11; that cyberterrorists would try 
to cripple our power system, disable air traffic control and emergency 
services, open dams, or disrupt banking and communications.  But so 
far, nothing's happened.  Even during the war in Iraq, which was 
supposed to increase the risk dramatically, nothing happened.  The 
impending cyberwar was a big dud.  Don't congratulate our vigilant 
security, though; the alarm was caused by a misunderstanding of both 
the attackers and the attacks.

These attacks are very difficult to execute.  The software systems 
controlling our nation's infrastructure are filled with 
vulnerabilities, but they're generally not the kinds of vulnerabilities 
that cause catastrophic disruptions.  The systems are designed to limit 
the damage that occurs from errors and accidents.  They have manual 
overrides.  These systems have been proven to work; they've experienced 
disruptions caused by accident and natural disaster.  We've been 
through blackouts, telephone switch failures, and disruptions of air 
traffic control computers.  In 1999, a software bug knocked out a 
nationwide paging system for a day.  The results might be annoying, and 
engineers might spend days or weeks scrambling, but the effect on the 
general population has been minimal.

The worry is that a terrorist would cause a problem more serious than a 
natural disaster, but this kind of thing is surprisingly hard to 
do.  Worms and viruses have caused all sorts of network disruptions, 
but it happened by accident.  In January 2003, the SQL Slammer worm 
disrupted 13,000 ATMs on the Bank of America's network.  But before it 
happened, you couldn't have found a security expert who understood that 
those systems were dependent on that vulnerability.  We simply don't 
understand the interactions well enough to predict which kinds of 
attacks could cause catastrophic results, and terrorist organizations 
don't have that sort of knowledge either -- even if they tried to hire 

The closest example we have of this kind of thing comes from Australia 
in 2000.  Vitek Boden broke into the computer network of a sewage 
treatment plant along Australia's Sunshine Coast.  Over the course of 
two months, he leaked hundreds of thousands of gallons of putrid sludge 
into nearby rivers and parks.  Among the results were black creek 
water, dead marine life, and a stench so unbearable that residents 
complained.  This is the only known case of someone hacking a digital 
control system with the intent of causing environmental harm.

Despite our predilection for calling anything "terrorism," these 
attacks are not.  We know what terrorism is.  It's someone blowing 
himself up in a crowded restaurant, or flying an airplane into a 
skyscraper.  It's not infecting computers with viruses, forcing air 
traffic controllers to route planes manually, or shutting down a pager 
network for a day.  That causes annoyance and irritation, not terror.

This is a difficult message for some, because these days anyone who 
causes widespread damage is being given the label "terrorist."  But 
imagine for a minute the leadership of al Qaeda sitting in a cave 
somewhere, plotting the next move in their jihad against the United 
States.  One of the leaders jumps up and exclaims: "I have an 
idea!  We'll disable their e-mail...."  Conventional terrorism -- 
driving a truckful of explosives into a nuclear power plant, for 
example -- is still easier and much more effective.

There are lots of hackers in the world -- kids, mostly -- who like to 
play at politics and dress their own antics in the trappings of 
terrorism.  They hack computers belonging to some other country 
(generally not government computers) and display a political 
message.  We've often seen this kind of thing when two countries 
squabble: China vs. Taiwan, India vs. Pakistan, England vs. Ireland, 
U.S. vs. China (during the 2001 crisis over the U.S. spy plane that 
crashed in Chinese territory), the U.S. and Israel vs. various Arab 
countries.  It's the equivalent of soccer hooligans taking out national 
frustrations on another country's fans at a game.  It's base and 
despicable, and it causes real damage, but it's cyberhooliganism, not 

There are several organizations that track attacks over the 
Internet.  Over the last six months, less than 1% of all attacks 
originated from countries on the U.S. government's Cyber Terrorist 
Watch List, while 35% originated from inside the United 
States.  Computer security is still important.  People overplay the 
risks of cyberterrorism, but they underplay the risks of 
cybercrime.  Fraud and espionage are serious problems.  Luckily, the 
same countermeasures aimed at cyberterrorists will also prevent hackers 
and criminals.  If organizations secure their computer networks for the 
wrong reasons, it will still be the right thing to do.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.