Re: [ISN] Hacker threat seen as overdone

From: InfoSec News (isnat_private)
Date: Fri Dec 27 2002 - 04:12:43 PST

  • Next message: InfoSec News: "[ISN] Cyberspace sentinels brace for trouble"

    Forwarded from: Richard Forno <rfornoat_private>
    > Such a threat is overblown, says James Lewis, of the Center for
    > Strategic and International Studies, in a paper published this
    > month.
    It's about bloody time others start saying this. I'm so sick of
    politicos, corporations, special interests, (and their paid-for
    think-tanks) preaching the Chicken Little message.  I can't wait to
    read their report to see if it truly supports this position.
    For the past year, I've said the same thing to my military audiences
    at NDU in Washington.
    I particularly despise Sen Shumer (D-NY) who believes that if someone
    hacked the FAA, airplanes would fall from the sky. Good ol' Bud
    forgets that planes have a really good backup system called "pilot"
    and "co-pilot" and that a sudden loss of FAA systems probably won't
    have planes crashing....after all, the systems are so old anyway that
    they go up and down like a yo-yo, and most commercial pilots have had
    to deal with that 'feature' of air travel.
    > Mr. Lewis makes a distinction between computer networks in general
    > and critical infrastructure. He says, "a brief review suggests that
    > while many computer networks remain very vulnerable to attack, few
    > critical infrastructures are equally vulnerable." To bring the
    > country down even briefly, terrorists would have to do serious
    > damage to critical systems, not just make nuisances of themselves.
    AMEN!  Amazon getting hacked or DoJ getting defaced isn't a critical
    national security problem. Now, a "critical infrastructure" such as
    water plants or financial systems, that's a different thing. Anyone
    who thinks otherwise is an idiot and shouldn't be in a position of
    national leadership.
    > Mr. Lewis makes several points. One is that there is a difference
    > between being a pest and causing strategically serious damage.
    > Bollixing up administrative systems, for example, would have no
    > strategic importance. Nor would it terrify anyone.
    An Islamic terrorist won't say "Allah be praised, the NASDAQ is
    crashed! The Americans are scared of us!"  -- it's much more effective
    to crash a few planes into buildings and watch the viseral,
    gut-wrenching fear that results, which is FAR more effective and FAR
    more easy to do than hack something.
    0911 was done for under $150K according to some reports, and if you
    think about it, the terrorists got a heck of a return for their
    investment, far more than they could hope to achive in a 'cyberwar'
    > Second, the American infrastructure is much more robust than terror
    > mongers would have us think. Failure and disruption are already a
    > routine fact of infrastructural life and cause no more than
    > inconvenience.
    Yup. I join those who say last month's DDOS attack on the root servers
    was highly-overblown by the media. DNS still functioned. Even if the
    roots went down, you can still navigate & send mail via IP address --
    the root servers just make it a bit easier for people not to have to
    remember zillions of different IP addresses.  Sure, a 'new' or
    'modified' domain name might not be accessible, but the net will still
    > For example, storms drop trees on power lines, causing widespread
    > loss of power for a few hours. It's irritating but strategically
    > insignificant. Water mains break, a new computer worm causes
    > trouble, a radar fails in an air-traffic control center. The system,
    > says Mr. Lewis, is designed to work around and repair these
    > disruptions.
    Jeepers, this guy must've read my SecurityFocus column "Shredding The
    Paper Tiger of Cyberterrorism."
    > A point Mr. Lewis doesn't explicitly make: The underlying assumption
    > in most of the cyber-doom predictions is that everyone but is
    > stupid.
    No, the folks who believe in cyberterrorism are stupid, ignorant,
    FUD-following sheep. And companies that sell 'cybersecurity
    intelligence' to help protect against 'cyberterrorism' are only
    fleecing their clueless clients.
    The cyberterrorist threat is a sensational concept based on FUD,
    ignorance, and hype....and believed to be true by the same politicos
    who think "Swordfish" was a realistic movie about INFOSEC.
    If we're going to say there are cyberterrorists, then we've got to
    start saying 0911 was the result of aeroterrorists. The manner in
    which the attack is carried out doesn't matter -- terrorism is
    terrorism is terrorism.
    As George Carlin might say, "there are no cyberterrorists."
    In this case, instead of accepting responsibility for our actions (or
    inactions) regarding INFOSEC, we point fingers at anyone else - such
    as phantom cyberterrorists - to avoid responsibility and
    accountability. It's nothing more than the latest version of Passing
    The Buck.  We see INFOSEC incidents occur regularly because WE MAKE IT
    through poor management, bad system/network administration and design,
    or shoddy software.
    > His conclusion: "The sky is not falling, and cyber-weapons seem to
    > be of limited value in attacking national power or intimidating
    > citizens."
    Here, here.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:52:46 PST