Forwarded from: Richard Forno <rfornoat_private> > Such a threat is overblown, says James Lewis, of the Center for > Strategic and International Studies, in a paper published this > month. It's about bloody time others start saying this. I'm so sick of politicos, corporations, special interests, (and their paid-for think-tanks) preaching the Chicken Little message. I can't wait to read their report to see if it truly supports this position. For the past year, I've said the same thing to my military audiences at NDU in Washington. I particularly despise Sen Shumer (D-NY) who believes that if someone hacked the FAA, airplanes would fall from the sky. Good ol' Bud forgets that planes have a really good backup system called "pilot" and "co-pilot" and that a sudden loss of FAA systems probably won't have planes crashing....after all, the systems are so old anyway that they go up and down like a yo-yo, and most commercial pilots have had to deal with that 'feature' of air travel. > Mr. Lewis makes a distinction between computer networks in general > and critical infrastructure. He says, "a brief review suggests that > while many computer networks remain very vulnerable to attack, few > critical infrastructures are equally vulnerable." To bring the > country down even briefly, terrorists would have to do serious > damage to critical systems, not just make nuisances of themselves. AMEN! Amazon getting hacked or DoJ getting defaced isn't a critical national security problem. Now, a "critical infrastructure" such as water plants or financial systems, that's a different thing. Anyone who thinks otherwise is an idiot and shouldn't be in a position of national leadership. > Mr. Lewis makes several points. One is that there is a difference > between being a pest and causing strategically serious damage. > Bollixing up administrative systems, for example, would have no > strategic importance. Nor would it terrify anyone. An Islamic terrorist won't say "Allah be praised, the NASDAQ is crashed! The Americans are scared of us!" -- it's much more effective to crash a few planes into buildings and watch the viseral, gut-wrenching fear that results, which is FAR more effective and FAR more easy to do than hack something. 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. > Second, the American infrastructure is much more robust than terror > mongers would have us think. Failure and disruption are already a > routine fact of infrastructural life and cause no more than > inconvenience. Yup. I join those who say last month's DDOS attack on the root servers was highly-overblown by the media. DNS still functioned. Even if the roots went down, you can still navigate & send mail via IP address -- the root servers just make it a bit easier for people not to have to remember zillions of different IP addresses. Sure, a 'new' or 'modified' domain name might not be accessible, but the net will still function. > For example, storms drop trees on power lines, causing widespread > loss of power for a few hours. It's irritating but strategically > insignificant. Water mains break, a new computer worm causes > trouble, a radar fails in an air-traffic control center. The system, > says Mr. Lewis, is designed to work around and repair these > disruptions. Jeepers, this guy must've read my SecurityFocus column "Shredding The Paper Tiger of Cyberterrorism." http://online.securityfocus.com/columnists/111 > A point Mr. Lewis doesn't explicitly make: The underlying assumption > in most of the cyber-doom predictions is that everyone but is > stupid. No, the folks who believe in cyberterrorism are stupid, ignorant, FUD-following sheep. And companies that sell 'cybersecurity intelligence' to help protect against 'cyberterrorism' are only fleecing their clueless clients. The cyberterrorist threat is a sensational concept based on FUD, ignorance, and hype....and believed to be true by the same politicos who think "Swordfish" was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, "there are no cyberterrorists." In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVES....either through poor management, bad system/network administration and design, or shoddy software. > His conclusion: "The sky is not falling, and cyber-weapons seem to > be of limited value in attacking national power or intimidating > citizens." Here, here. Rick Infowarrior.org - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:52:46 PST