Adding perspectives Re: [ISN] Cyber terrorism is 'fantasy'

From: InfoSec News (isnat_private)
Date: Tue Dec 04 2001 - 00:23:51 PST

  • Next message: InfoSec News: "[ISN] College student refutes charges he is high-level hacker"

    Forwarded from: Fred Villella <NDIat_private>
    Cc: Dan_Vertonat_private
    
    Usually William's "rants" are valuable (and that is often) for NDI
    Training classes, which are designed to improve the understanding of
    the challenges we face. When NDI (one of the first) introduced hackers
    to the legitimate government stage, it was not to reap huge benefits
    or indorse Hacking, it was to inform.
     
    Getting into that was hazardous and I was attacked with some falsely
    misrepresented misinformation.  However, there was a lot to learn and
    still is, on that topic and it helps understand the capabilities of
    Cyberterror.
    
    Several years ago I did a lot of early work in Terrorism and response
    at the state, local and federal levels.  And worked with the top
    international Terrorism experts. Real experts who faced real terror in
    their countries.
    
    There was a lot to be learned and those interests remain very high on
    my list. That early introduction helped me start the federal focus on
    International Terrorism Preparedness in the early 80s and later put
    together the first Training manual with color pictures of the
    Principal terrorists.
    
    I appreciate the dialogue you guys have begun. & believe that
    discourse is needed. There are a lot of pseudo experts and
    misdirections that need to be surfaced and dealt with by revealing the
    facts-the truth..and often the unpleasant.
    
    Being emotional or critical is understandable. But not always helpful;
    but the loss of so many lives merits whatever it takes to stay awake
    on this topic and get some positive perspectives that motivate
    preparedness.
    
    The essence of Terrorism will always remain focused on two key things from 
    our view: 1. Intelligence and 2. Managing the consequences.
    
    Hopefully the discourse you have started will continue. Obviously it
    remains a serious concern to the nation.  I admit having retreated
    from a previous concentration on this subject, largely because of
    complacency out there.. It is a topic we did not want to hear about.
    
    NDI has started a modest course effort on an introduction to Cyber
    Terror and hopefully that will help get some focus at the operational
    levels. It is truly a modest initiative.
    
    There has been some national discourse for sometime on the topics. The
    attendance at some of the conferences and funded STUDIES have been a
    good business for many.
    
    And there are a lot of charlatans and a lot of contracts let by well
    meaning folks in government and industry.
    
    We do somehow have to provide these well meaning functionaries with
    good perspectives and guidance. That also includes those who must be
    Oracles of Delphi on the topic, because their responsibility is to
    take a position and fulfill a mission.
    
    That includes a lot of people.  Dan Verton and William Knowles et al
    should be encouraged to continue the dialogue and hope that it grows
    and helps us all reach a prudent and productive set of national and
    even personal priorities to deal with this beast... that will never go
    away.  Thanks Dan and William and others for taking the time to deal
    with the topic. It remains urgent.
    
    Fred Villella   
    New Dimensions International
    www.newdimensions.net
    NDIat_private
    
    
    
    In a message dated 12/3/01 3:20:31 AM Pacific Standard Time, isnat_private 
    writes:
    
     To:    isnat_private
     
     Forwarded from: Dan Verton <Dan_Vertonat_private>
     
     From: Dan Verton, senior writer, Computerworld, and former intelligence 
    officer
     
     Rosenberger is right on many points. This is something I have been
     writing about for more than a year and have even put Mr. Clarke on the
     spot in a public forum and got him to reverse on the use of the term
     cyber-terrorism (see CNN
     
    http://www.cnn.com/2000/TECH/computing/07/03/real.cyberterror.idg/index.html).
     
     I aired my concerns about the misguided use of language when it comes
     to discussions of cyber threats at the recent Black Hat briefings in
     Las Vegas. I watched as several so-called "visionaries" of the
     computer industry chuckled at my protestations that the phrase
     cyber-terrorism is a product of individuals with a vested interest in
     promoting fear and such a term demonstrates a profound ignorance of
     what terrorism is all about and what the future of terrorism is
     believed to hold.
     
     The more sophisticated view of national cyber security, however,
     accepts the possibility of a large-scale, surprise cyber hiccup or
     limited infrastructure attack (that, yes, may have a ripple effect on
     other sectors), but rejects the notion of planes falling out of the
     sky, nationwide train derailments or environmental disasters at the
     click of a mouse. Sophisticated observers also accept the threat of
     massive Internet-based bank fraud and the impact such incidents could
     have on the stock market. But they reject the notion that terrorists
     have all of a sudden come to value virtual bombs as opposed to the
     fear generated by images of bleeding children on the nightly news.
     
     Terrorism, as we in the U.S. have come to know it, is a form of
     violence that strikes fear in the hearts and minds of people because
     of its destructive power and its ability to wreak havoc and physical
     pain on unsuspecting, innocent people. Few people will ever forget the
     horrific scenes from Lockerbie, Scotland, where in 1988 a bomb ripped
     apart Pan Am Flight 103 in mid air, killing all 270 passengers.
     Likewise, the 1983 bombing of the U.S. Marine barracks in Beirut,
     Lebanon, that killed 241 Marines and Sailors, and more than 100
     others, serves as a timeless reminder of what the destructive forces
     of terrorism are all about. The same can be said of the 1995 bombing
     of the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma,
     which killed 168 and wounded more than 500.
     
     You would think with all of the talk about how much of a "surprise"
     Sept. 11 was (it was not) that our language surrounding so-called
     cyber-terrorism and information "warfare" would have evolved somewhat.
     
     The problem is that we have a large number of neophyte intelligence
     and warfare experts in the computer industry perpetuating the use of
     this misguided terminology. Its use does not advance our understanding
     of terrorism or warfare for that matter. It dilutes our understanding
     of the terrorist's intent -- intent is a concept that novices in
     intelligence and warfare do not readily grasp. Nor do they grasp the
     importance of building a capabilities matrix based on intent and
     intelligence requirements to conduct something like a cyber
     "terrorist" attack.
     
     What we are stuck with, however, is terminology that has been
     perpetuated by individuals with a vested interest in promoting fear --
     and that goes for both the government and industry.
     
     I'll end with this interesting observation on the problem: I just
     finished reading a book on Information warfare by an industry type who
     has no formal training in any aspect of warfare, intelligence or the
     like. Although the book attempted to take the military concept of IW
     and apply it to private industry, how can anybody pretend to do that
     without a serious understanding of the first part of that equation?
     There's our problem.
     
     Dan Verton
     
     
     
     
     InfoSec News <isnat_private> on 11/30/2001 07:14:50 AM
     
     Please respond to InfoSec News <isnat_private>
     
     To:   isnat_private
     cc:    (bcc: Dan Verton/Computerworld)
     
     Subject:  RE: [ISN] Cyber terrorism is 'fantasy'
     
     
     Forwarded from: Junkmail Rosenberger <junkmailat_private>
     
     I reject Knowles' argument out-of-hand.  He misses the point when he asserts
     "[who] would have thought that someone would have hijacked commercial
     jetliners and used them as cruise missiles."
     
     The simple fact is that terrorists *always* had the ability to turn planes
     into cruise missiles; their effectiveness as flying bombs merely grew in
     proportion to their fuel payload.  On the other hand, Cluley & I & others
     insist no one [yet] has the ability to destroy America with a computer virus
     (read http://Vmyths.com/rant.cfm?id=410&page=4 for starters).  We can
     therefore sum up Knowles' misguided argument as follows:
     
        --> "commercial aircraft as bomb" is VERY feasible but NOT likely;
        --> "computer virus as bomb" is NOT feasible but VERY likely.
     
     Knowles & others (e.g. Michael Vatis, Richard Clarke) could validate their
     cyber-terrorism arguments with just one -- I repeat, ONE -- technologically
     feasible idea for destroying America with a computer virus.
     
     Rob Rosenberger, Vmyths editor
     Truth about computer virus hysteria
     http://Vmyths.com
     
     
     
     [WK Note: One problem I have is occasionally I don't make myself clear
     in my commentary on ISN, this can be attributed to lack of sleep, lack
     of RedBull in the fridge, and the thought of business travel. There
     are others, but I'd have to sleep on that.
     
     > I guess Cluley thinks the same about landmines too, if one is not
     > careful where placing them and mapping their location, one could
     > also very well be a victim, but viruses like landmines make for
     > great force multipliers for a cyberterrorist."
     
     What I was meaning to say is that I don't expect the Internet to melt
     down over one virus, but that the tactical use of viruses would be one
     weapon of several that a cyberterrorist would likely use to create
     mayhem. Just as you would use landmines, razor wire, & interlocking
     fields of machinegun fire to slow your enenmy down.
     
     > I am not looking forward to the day of when we see a simultaneous
     > cross-platform, multiple vulnerability virus that would have the
     > AV companies pulling their hair out trying to find a solution, and
     > then able to push that software update onto networks severely
     > choked with a combination of DDoS attacks, virus traffic, network
     > outages, and major DNS servers down from repeated hacking attacks.
     
     I agree with Rob that Usama is not interested in melting your MP3's,
     Russian pr0n pics, or mailing out everyone in your Outlook address
     book 'I send this for your advice' with a virus, Usama wants you dead.
     I have yet to see anyone bring up cyberterrorism with regular
     terrorism, and that is another point that I should make clear here, I
     have always belived (along with a few others) that cyberterrorism
     would be used first before a large scale terrorist attack.
     
     Slowing down or stopping commerical, goverment, and military networks
     along with the interdependence of the Internet would cripple the basic
     command and control of government and first responders to a major
     terrorism event.
     
     
     But enough of me ranting on, I have to get some sleep and run to
     Costco for another case of RedBull.     - William Knowles 9.30.01]
     
     
     
     -
     ISN is currently hosted by Attrition.org
     
     To unsubscribe email majordomoat_private with 'unsubscribe isn' in the 
    BODY
     of the mail.
     
     
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 02:25:56 PST