[ISN] Hacker threat seen as overdone

From: InfoSec News (isnat_private)
Date: Thu Dec 26 2002 - 05:23:18 PST

  • Next message: InfoSec News: "Re: [ISN] Hacker threat seen as overdone"

    Forwarded from: William Knowles <wkat_private>
    By Fred Reed
    December 26, 2002
    Much has been made, including money by the sale of books, of the
    supposed vulnerability of the United States to cyber-terrorism. The
    idea is that various bad guys could hack into the national
    infrastructure, meaning things like the electric grid, water supplies
    and air traffic control, to "bring the country to its knees."
    Such a threat is overblown, says James Lewis, of the Center for
    Strategic and International Studies, in a paper published this month.
    Mr. Lewis makes a distinction between computer networks in general and
    critical infrastructure. He says, "a brief review suggests that while
    many computer networks remain very vulnerable to attack, few critical
    infrastructures are equally vulnerable." To bring the country down
    even briefly, terrorists would have to do serious damage to critical
    systems, not just make nuisances of themselves.
    Mr. Lewis makes several points. One is that there is a difference
    between being a pest and causing strategically serious damage.  
    Bollixing up administrative systems, for example, would have no
    strategic importance. Nor would it terrify anyone.
    Second, the American infrastructure is much more robust than terror
    mongers would have us think. Failure and disruption are already a
    routine fact of infrastructural life and cause no more than
    For example, storms drop trees on power lines, causing widespread loss
    of power for a few hours. It's irritating but strategically
    insignificant. Water mains break, a new computer worm causes trouble,
    a radar fails in an air-traffic control center. The system, says Mr.  
    Lewis, is designed to work around and repair these disruptions.
    Years back, having been told how vulnerable to hackers the air-traffic
    control system was, I called an airport to ask. The response was,
    first, that the actual direction of traffic isn't on the Internet and
    second, that if hackers somehow disabled the electric grid, the
    airport would use its back-up generators.
    Well, how vulnerable is the electric grid?
    Says Mr. Lewis: "Many analyses have cyberterrorists shutting down the
    electrical power system. One of the better cyber-security surveys
    found that power companies are a primary target for cyber-attacks, and
    that 70 percent of these companies had suffered a severe attack in the
    first six months of 2002," Yet, he says, none has caused an outage.
    A point Mr. Lewis doesn't explicitly make: The underlying assumption
    in most of the cyber-doom predictions is that everyone but is stupid.
    Oddly enough, the people in charge of important infrastructure have
    thought of the obvious. The electrical engineers who run power
    networks have heard of computers. They have thought about these
    Suppose computer terrorists wanted to disrupt the water supply, which
    has been suggested as a danger. Mr. Lewis notes that the United States
    has 54,064 different water-supply systems. That's a lot of targets to
    attack. Some are more important than others: Of the total, he says,
    353 serve 40 percent of the population. Brief disruptions of water
    supplies do not threaten the national security.
    Is the military at risk? Mr. Lewis says, " while there were many
    attacks against U.S. military computer networks during operations in
    Kosovo, these attacks did not result in sorties being canceled or in a
    single casualty."
    An assumption I have noticed in disaster scenarios is that if a
    terrorist can disrupt a network's computers, the network is destroyed.  
    Actually, computers fail frequently, whereupon the engineers reload
    from backups and life goes on.
    His conclusion: "The sky is not falling, and cyber-weapons seem to be
    of limited value in attacking national power or intimidating
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 26 2002 - 16:47:55 PST