Digg this story   Add to del.icio.us  
Shredding the Paper Tiger of Cyberterrorism
Richard Forno, 2002-09-25

Political posturing about cyberterrorism is a red herring that takes attention away from the real issues of information security.

Over the past several months we’ve seen a rise in the amount of media coverage devoted to the concept of cyberterrorism – yet, despite the hype and hysteria, nobody can describe exactly what constitutes an act of cyberterrorism even though, according to a recent TechWeb article, college campuses in America are breeding grounds for such people.

Part of the problem is that cyberterrorism has become a catch-all phrase for any sort of illicit on-line activity; and its use (or misuse) by the media, vendors, and government officials further muddies the waters. For example, a Google search for the term “cyberterrorism” yields all sorts of cases in which it is used to describe viruses, Trojans, and hacking. Security concerns to be sure, but terrorism? Doubtful.

While there is much fear, uncertainty and doubt associated with the term, I posit that cyber-terrorism is really nothing more than a paper tiger.

Defining the Problem

Part of the problem with cyberterrorism is that it has not been clearly defined. In March 2002, FBI Assistant Director JT Caruso told a Congressional hearing that the agency defines cyberterrorism as “the use of cybertools to shut down critical national infrastructures for the purpose of coercing or intimidating a government or civilian population.”

That’s fine, but this definition represents conventional thinking and misses the essential point of terrorism. Terrorism, according to the United States Defense Department, is “the calculated use of violence or the threat of violence to inculcate fear; intended to coerce or to intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.” It is thus both destructive and political, motivated as they appear to have been by anger toward America’s foreign policy over the years.

While the physical toll of the attacks was huge, perhaps more damaging was the wound that the attackers inflicted on the American psyche, a wound from which the nation has not yet recovered. The attacks induced fear and terror, which is one of terrorism’s primary objectives. They had an effect that a cyber-attack could never approximate.

Yet, we continue to hear about the gloom and doom associated with cyber-attacks. Michael Erbschloe, President of Computer Economics, wrote in his 2000 book Information Warfare that “in a few years, the preferred choice of terrorists is not going to be blowing themselves up in a car bomb…What we see (with cyber-terrorism) is that it's becoming more organized as time goes by, and it's becoming more destructive as well.”

Politicos continue to harp on about how cyberterrorism is a clear and present danger to the world. Even Congress buys into this Chicken Little speculation that fuels the national ‘cyberterror’ hysteria. Rep. Lamar Smith (R-TX) recently said that “a mouse can be just as dangerous as a bullet or bomb” and Senator Charles Shumer (D-NY) repeatedly prophesizes that “terrorists could gain access to the digital controls for the nation's utilities, power grids, air traffic control systems and nuclear power plants.”

Scrutinize statements by White House Cybersecurity Czar Richard Clarke (and others) that “Electronic Pearl Harbors” are a frequent occurrence and then try to find one cyber-terror incident that has been remotely catastrophic. You can’t (we’ll assume for the sake of this discussion that a DoS against Amazon.com and Ebay cannot be considered a calamitous event). But constant invocation of the term helps stoke the fire of Homeland Security projects (and budgets). And it shows no sign of relenting.

The Real Danger

Let’s play devil’s advocate for a moment and see what the real consequences of a cyber-terror attack would be. Could someone shut down part of a power grid or water system via a remote dial-up connection? Perhaps, but the same could be accomplished if someone managed to gain physical access to such facilities to throw a few switches and turn a few knobs. Besides, we’ve proven during countless natural weather disasters that we can live without electricity for short periods of time. Should critical networks be compromised, we can still pay for groceries with cash.

Even if any of these scenarios were realized, life might be a bit inconvenient or slower than normal at times, but we will still be alive, and buildings won’t have toppled. Life will continue to go on, and soon return to normal, likely more quickly than if recovering from a physical type of terror attack. A potential compromise of the air traffic control system doesn’t necessarily mean that planes will start falling from the sky: airplanes have arcane backup systems known as “pilots” and “co-pilots” who can fly and land them safely.

Bin Laden, Hussein, or any other terrorist is not going to snicker and proclaim a victory over the Great Satan simply because his geek corps manages to crash the NASDAQ trading system. Darkened computer screens don't scare people; but, as we’ve seen, images of smoking craters and lower Manhattan covered with dust clouds and debris do. Would you remember exactly where you were and what you were doing if a cyberterrorist temporarily disrupted the NASDAQ Web site? Probably not. Will you remember where you were when the second hijacked 767 rammed into the World Trade Center? Most certainly.

Defacing a Web site, releasing a virus, or shutting down Amazon.Com for a day is not terrorism. As one government IT security consultant told me recently, “a DDOS attack can ruin your day, but a pound of C4 explosive in your NOC can do much more long-lasting damage.”

People are afraid of cyber-attacks and cyberterrorism because they don’t understand them. Like voodoo, cyber-attacks are a mysterious and invisible concept, and therefore must be more dangerous than something tangible like dynamite or aviation fuel if used by an adversary. After all, how many people really understand how their computers work? It’s human nature to be afraid of what we don’t understand. In the case of our elderly Congress, I’d wager they’re plenty afraid.

Rational Solutions, Not Hysteria

Much of what constitutes the "cyberterror threat" comes down to the poor management of systems critical to the security and viability of the United States. In other words, traditional computer security vulnerabilities, not legions of phantom ‘cyber-terrorists.’ Networked computer systems have the potential to be remotely compromised by unauthorized persons for any number of malicious purposes. Remedying these security problems is a function of information security professionals, not ‘counter-cyberterror’ experts.

Of course, such a response requires a rational understanding of the real threats. It requires that systems administrators and their executive management be given the resources to properly ensure the security of their systems. It requires that end users are educated about the information security threats and how to protect against them.

It does not require political appointees wringing their hands proclaiming “The sky is falling!” and demanding more money and more power. Nor does it require focusing on vague, shadowy threats instead of addressing the pressing needs and realities of information security today.


Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.
    Digg this story   Add to del.icio.us  
Comments Mode:
You're the best 2002-09-26
Andrew Jones
Right on target. 2002-09-27
Anonymous
thanks for the comments! 2002-09-28
rick forno
Thanks, excellent article 2002-10-02
docsteely
Shredding the Paper Tiger of Cyberterrorism 2002-10-04
Thanatos - aka - Global Proxy Fuck
Shredding the Paper Tiger of Cyberterrorism 2002-10-08
Matthias Blazejak (Germany)


 

Privacy Statement
Copyright 2010, SecurityFocus