[ISN] Cyber-terror drama skates on thin Black Ice

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 23:15:07 PST

  • Next message: InfoSec News: "[ISN] Documents: Hopkins youth hacked other firms"

    http://www.theregister.co.uk/content/55/35816.html
    
    [ http://www.amazon.com/exec/obidos/ASIN/0072227877/c4iorg  - WK]
    
    By Thomas C Greene in Washington
    Posted: 25/02/2004 
    
    Computerworld columnist Dan Verton has covered the security beat for 
    several years. He has recently weighed in on the cyber-terror 
    discussion with a book called Black Ice: The Invisible Threat of 
    Cyber-Terrorism. 
    
    Verton gets off to a good start in his introduction, where he notes 
    that physical attacks against high-value communications infrastructure 
    are an important area of concern. He also suggests that the 
    destructive effects of a physical terror attack could be intensified 
    by a simultaneous attack against local communications infrastructure 
    by hampering rescue efforts. At that point, I was anticipating a 
    balanced discussion of the threats and risks associated with cyber 
    terror, which is, after all, something that has never occurred. 
    
    Unfortunately, the book soon loses its balance and tips increasingly 
    in the direction of paranoid speculation. This shift in tone 
    culminates on page 96, where Verton claims that "we can safely discard 
    the opinions of those who argue that cyber-terrorism ... is 
    impossible." At that point I lost all sympathy for what the author was 
    saying. It is indeed reasonable to question the plausibility of 
    cyber-terrorism; and it's quite preposterous to "discard the opinions" 
    of sceptics. There are some very smart and knowledgeable people who 
    think cyber-terror is a myth. 
    
    Dire predictions 
    
    But discard them Verton does. His book is far more concerned with the 
    wholesale retailing of dire predictions from paranoid bureaucrats like 
    former cyber-security czar Richard Clarke and ex-Microserf Howard 
    Schmidt than a realistic exploration of the dangers involved. 
    
    Indeed, wherever Verton writes about cyber-terror per se, it is always 
    in the form of a fictional scenario. Because we've yet to experience 
    cyber-terrorism, there's little one can say about it from a strictly 
    factual point of view - certainly not enough to fill a book. 
    
    And this leads to another problem: the book spends a great deal of 
    time talking about al-Qaeda and radical jihadists in general, showing 
    us what creeps they are, as if we didn't already know, and speculating 
    that if these creatures ever decided to blow up power stations and 
    telephone infrastructure, or become elite hackers, we'd all be in 
    serious trouble. 
    
    Hollow center 
    
    This general material takes up a great deal of the book, and forms is 
    its hollow center. We can talk about terrorist possibilities until 
    we're blue in the face, but at its core, terror is about sudden and 
    violent death, not inconvenience. It's hard to imagine a terror outfit 
    attacking power distribution infrastructure after seeing the complete 
    lack of panic and mayhem in the wake of this Summer's blackout in the 
    US and Canada. People were inconvenienced, all right; but they coped 
    with it, the broken stuff got fixed, and no one was killed, 
    traumatized, or horrified. 
    
    Terror doesn't come from having the lights go dim or the phones go 
    dead or the ATM go haywire. Terror comes from hundreds or even 
    thousands of people suddenly and violently murdered in an instant. 
    This is what terrorists are after, not power outages. Unfortunately, 
    the book emphasizes threats to infrastructure as if they were the 
    primary worry, when, in fact, an infrastructure attack can only 
    intensify a real terror attack. It is not one in itself. 
    
    Verton's sources are almost exclusively himself, and bureaucrats 
    concerned with cyber-terror. There are no sceptical voices in the 
    book, and not even an attempt at offering counter-arguments to a 
    sceptical point of view. The book barely acknowledges that there are 
    valid arguments questioning cyber-terror and its significance. And 
    Verton's habit of using his own articles for reference gets suspicious 
    after a while. There's certainly nothing wrong with a journalist 
    pointing readers to his articles for additional information; but here, 
    because there is so little hard evidence Verton can supply to 
    substantiate his claims, the self-references take on a flavor of, "and 
    you know it's true because I've said it before." 
    
    Opposing views 
    
    The book is highly speculative and fails to confront opposing views. 
    We're told that we can "safely discard the opinions" of sceptics, but 
    we're not told why. The book's argumentative force rests on the 
    assertion that we should worry about cyber-terror because Richard 
    Clarke, Howard Schmidt and Tom Ridge worry about it - and because 
    security vendors reaching out for juicy gobbets of Homeland Security 
    pork "worry" about it too. 
    
    Black Ice will appeal to readers who already believe that cyber-terror
    is a clear and present danger. Those who have yet to make up their
    minds will find a one-sided discourse, and would do well to follow it
    with a more balanced book such as Beyond Fear[1] by Bruce Schneier
    before drawing any conclusions. Cyber-terror sceptics will not be
    persuaded by Verton's arguments, or his sources, and should probably
    avoid it.
    
    [1] http://www.amazon.com/exec/obidos/ASIN/0387026207/c4iorg
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:16:27 PST