[ISN] Security analysts dismiss fears of terrorist hackers - Electricity, water systems hard to damage online

From: InfoSec News (isnat_private)
Date: Mon Jul 01 2002 - 03:12:36 PDT

  • Next message: InfoSec News: "[ISN] Tech managers targeted by cyber criminals"

    Forwarded from: William Knowles <wkat_private>
    Bill Wallace, Chronicle Staff Writer 
    Sunday, June 30, 2002 
    Despite growing government concern that al Qaeda and its allies may
    try to use computers to disrupt electrical power grids, transportation
    systems and emergency communication networks, many experts on
    terrorism and computer security are skeptical about the overall menace
    of cyber-terrorism.
    "The notion that somebody armed with a laptop in Peshawar, Pakistan,
    could bring down California's power grid is pretty far-fetched," said
    Kevin Terpstra, communications director for the California Department
    of Information Technology, an agency responsible for assessing the
    security of the state's computer systems.
    "There is reason to be concerned about computer security and critical
    infrastructure vulnerabilities . . . but the likelihood of this type
    of an attack is very small."
    Cyber-terrorism has become one of the hottest buzzwords among national
    security officials, especially since the Sept. 11 attacks. The subject
    has been the topic of numerous legislative hearings in Washington,
    D.C., and more than 560 newspaper and magazine articles using the term
    have been published in the past year alone.
    In January, the FBI's National Infrastructure Protection Center warned
    that information on the Internet about power plants, toxic waste dumps
    and other sensitive sites could be used by foreign extremists to
    launch attacks on the United States.
    And last week, the Business Software Alliance, a trade association,
    released an industry survey in which 59 percent of the information
    technology specialists polled said they considered a major terrorist
    computer attack likely in the next 12 months.
    Underscoring the possible danger, several newspapers reported that
    computer operators in the Middle East and South Asia had attempted to
    penetrate computer systems in Northern California last fall.
    However, experts interviewed by The Chronicle said the vast majority
    of these computer intruders are trying to steal information -- not
    shut down electrical utilities, release water from dams or engage in
    other dangerous acts of sabotage.
    It is difficult, the experts say, for a hacker to launch an attack on
    an infrastructure control system because very few of these systems are
    accessible through the Internet.
    In March, CIO magazine, a journal for computer system professionals,
    published a detailed article on information security that debunked the
    cyber- terrorist threat.
    The magazine quoted Marcus Kempe, the director of operations for the
    Massachusetts Water Resource Authority, as saying a cyber-terrorist
    intent on tampering with his utility would have to make three
    complicated intrusions to gain access to the necessary control
    And he would have to break into a highly secure building in
    Massachusetts in order to make them because the system is not
    connected to the Internet. This would present a problem for the
    terrorist who thinks he can sabotage the utility by using his laptop
    in Pakistan.
    "Could a computer attack get us to a high-consequence event? Probably
    not," Kempe told the magazine.
    David Wagner, a computer science professor at UC Berkeley who
    specializes in information security, said some utilities do have
    operations that are controlled by means of the Internet, "but not all
    of them and maybe not the most critical ones."
    "There are some crucial vulnerabilities," Wagner said, "but if you
    want to rank how serious those vulnerabilities are, they are less
    serious than what you can do with explosives and much less serious
    than what you could do with chemical or biological agents.
    "I used to be concerned about cyber-terrorism, but I think in the past
    year I have come to realize that it is not the most serious thing we
    have to worry about."
    Dorothy Denning, the director of the Georgetown University Institute
    for Information Assurance, testified before the House Judicial
    Committee two years ago that cyber-terrorism, while worthy of concern,
    was overrated as a threat to the American public. Denning told The
    Chronicle that her opinion has changed little since the Sept. 11
    "To get noticed, they would have to do something very dramatic, like
    flood a dam or something," she told The Chronicle. "Those kinds of
    actions are a lot more difficult to engineer with a computer than they
    would be with a bomb -- and whether they would work or not would be a
    lot less certain."
    John Pike, a weapons systems analyst and director of
    Globalsecurity.org, a defense policy organization in Washington, D.C.,
    stressed that terrorists use simple, direct methods for operations
    because they are less likely to fail.
    He said the Sept. 11 attacks were a perfect example. "You had 20
    people get on four planes to attack two targets," he said. "Only 19
    made the flights, and only three of the planes reached their targets.  
    But the plan succeeded anyway because it was simple."
    He said cyber-attack scenarios are too complex to have much appeal for
    terrorist groups. Furthermore, they are likely to fail.
    "If you pitch a bad script in Hollywood, the worst that can happen is
    you get thrown out of the office," he said with a chuckle. "If I were
    some guy from al Qaeda pitching a (complicated and risky)  
    cyber-terrorism plot to Osama bin Laden, I would be a little nervous
    about making it out of his office alive. "
    E-mail Bill Wallace at bwallaceat_private
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 01 2002 - 05:42:41 PDT