[ISN] El Reg badly misguided on cyber-terror threat

From: InfoSec News (isn@private)
Date: Thu Mar 04 2004 - 03:09:58 PST

  • Next message: isn@private: "[ISN] Hi! :-)"

    http://www.theregister.co.uk/content/7/35983.html
    
    By Thomas C Greene in Washington
    Posted: 03/03/2004 
    
    Our recent, negative review of Black Ice: The Invisible Threat of 
    Cyber-Terrorism by Dan Verton drew a good deal of reader mail, 
    including a request by the author to debate the issues raised in our 
    article, and his book. 
    
    When Verton invited us via e-mail to "do a Q&A to give me the chance 
    to refute the ridiculous claims you make in your review of my book," 
    well, we couldn't possibly refuse. It was agreed that El Reg would ask 
    the questions, and Verton would answer, thereby enjoying the last 
    word. Herewith our exchange, edited very lightly: 
    
    El Reg: You indicate that cyber-terror skeptics have their heads in 
    the sand, that they're ignoring signs of a growing interest among 
    terror outfits in infrastructure attacks. But where's the evidence of 
    this? A few laptops may have been seized with evidence of some limited 
    research along these lines, but that's hardly the same as a plan. So 
    far as I know, there has never been any evidence of a coherent plan or 
    the financial backing needed to attempt anything along those lines. Am 
    I mistaken? 
    
    Verton: Yes, you are mistaken. The evidence that you are looking for 
    and that the skeptics are looking for is not the only evidence that 
    exists. You cannot map terrorist threats to vulnerabilities without a 
    solid understanding of the evolutionary nature of international 
    terrorism and the strategic, long-term goals of groups like al-Qaeda. 
    By studying what they are trying to do and then combining that with 
    the indications and warnings surrounding both their low-level actions 
    (i.e. evidence that they have been studying SCADA systems in U.S. 
    critical infrastructures) and their public statements, one can 
    extrapolate a future capability roadmap. Not to do that would be to 
    repeat the failures of 9/11. 
    
    El Reg: Why would a terror outfit attempt an infrastructure attack per 
    se. I can see how one could intensify a physical attack against a 
    population, and I accept that it's something to worry about - knocking 
    out local communications to hamper rescue efforts, say. But 
    communications are very parallel: you might knock out a system that 
    rescuers use; but you can't take out PSTN, cellular, Internet, TV and 
    radio, all at once. An infrastructure attack per se is tremendously 
    expensive in terms of finances, as well as planning, coordination and 
    execution. The same investment in suicide bombings would produce a 
    shocking body count. I doubt there's enough 'bang for the buck' in an 
    infrastructure attack, and I doubt one will be pursued seriously for 
    that reason. I believe that if a terror outfit should research this 
    thoroughly - really do their homework - they'll conclude the same: 
    that it's a waste of their resources. Why do you think that's wrong? 
    What evidence can you cite? 
    
    Verton: Again, you are assuming that international terrorism is a 
    static phenomenon that is incapable or unwilling to adapt to the 
    realities of the modern world. Your question also implies that 
    tomorrow's terrorist will look like and act like today's terrorist. 
    That's a classic case of underestimating one's enemy. You also wrongly 
    assume that such an attack would be more costly and more difficult to 
    plan and execute. The investment required for a highly targeted attack 
    is minimal, compared to a car bomb and the payoff is potentially just 
    as great in monetary terms. However, you are correct in your 
    assumption that to significantly damage the whole of the 
    infrastructure probably falls outside of the capabilities of terrorist 
    groups. And depending on what infrastructure we are talking about, 
    there is also the possibility of impacting public safety. The evidence 
    is in the writings and the public statements of al-Qaeda members and 
    supporters who have clearly shown an intense interest in damaging the 
    economy of the "capitalist" states. I outline who these individuals 
    are and what they have said and done in Black Ice. You should go back 
    and read that section again more carefully. 
    
    El Reg: People have talked about the possibility of attacking the 
    Internet to interrupt commerce. But isn't there a paradox? If you use 
    the Net as a weapon, but at the same time attack it, you're throwing 
    sand in the equipment you're using. There are weaknesses in BGP and 
    DNS that could be exploited, but by damaging the system, you're also 
    cutting yourself off from it. Again, I believe a terror outfit would 
    realize this if they researched it carefully, and conclude that it's 
    not feasible to mount a sustained cyber-attack that would interrupt 
    the Net across a broad area for any significant time. Why should I 
    believe otherwise? 
    
    Verton: Your question assumes that terrorists are interested in a 
    sustained, multi-infrastructure attack in cyberspace. But we know that 
    groups such as al-Qaeda are very patient with their planning and very 
    deliberate about their target selection. Therefore, your question 
    misses a very important support mechanism in guerilla warfare: using 
    highly targeted cyber attacks or physical attacks against key cyber 
    infrastructures as a force multiplier for traditional terrorist 
    operations. You've accused me of making dire predictions with no 
    evidence. I'm now accusing you of making wild assumptions about our 
    terrorist enemies that are designed to make them fit your 
    understanding of what terrorism is and what their goals are. And I'm 
    also saying that your assumptions and your understanding of 
    international terrorism is completely wrong. 
    
    El Reg: Why shouldn't I be suspicious of the bureaucrats you quote in 
    your book? Isn't cyber-terror an ideal mechanism for attracting 
    homeland security pork? The technology is complicated and not well 
    understood by the public, or members of Congress for that matter. It's 
    easy to frighten people when they lack the technical savvy to evaluate 
    these claims for themselves. Where is the evidence that cyber-terror 
    is anything more than a scary story to enrich security vendors and 
    increase federal security budgets? 
    
    Verton: I don't quote bureaucrats. I quote highly-respected, 
    long-standing professionals who have been in positions to know the 
    truth about the various matters covered in the book. By naming Richard 
    Clarke and Howard Schmidt, as you did in your review of my book, 
    referring to them as "paranoid bureaucrats" and then implying that 
    they and others would purposely spread disinformation to cash in on 
    the homeland security pork, is to do what many do when they're on the 
    losing end of a debate, and that's to engage in the politics of 
    personal destruction. Are there bureaucrats who engage in this kind of 
    behavior? Of course there are. But neither Clarke nor Schmidt are 
    among them. And I say that knowing both of those men personally. They 
    are true patriots at a time when patriotism is under attack. 
    
    So there you have it: there seems to be little common ground between 
    skeptic and believer. We leave it to the wisdom of our readers to 
    decide which way to lean in the debate.
    
    -=-
    
    Editors' note: Following the above dialogue, Dan Verton sent us a 
    piece, suggesting that this might be a more appropriate response to 
    Tom Greene's original review of his book. This is not, unhappily, our 
    considered opinion; we feel that Tom's review was and is a measured 
    and rational examination of the subject, and see no reason for 
    amendment or retraction. Equally, we are happy to publish Dan's 
    viewpoint: 
    
    A Feb. 25 review of my book, Black Ice: The Invisible Threat of 
    Cyber-Terrorism, by The Register's Thomas Greene, claimed that my work 
    failed to realize that "at its core, terror is about sudden and 
    violent death, not inconvenience." 
    
    I couldn't have asked for better support for what is actually the 
    central thesis of Black Ice: the complete lack of sophisticated 
    thinking on the part of the high-tech community about the evolution 
    and future of international terrorism. 
    
    The true face of al-Qaeda and other international terrorist 
    organizations is one that few Americans, especially some "thought 
    leaders" in the information security community, have come to 
    appreciate and accept. It is a picture of a thinking and 
    technologically sophisticated enemy that values formal training and 
    education, and that understands the critical role that information 
    technology plays in the day-to-day operations of America's economy and 
    national security. 
    
    Those in the information security community -- primarily technologists 
    - who assert that terrorism is only about terror lack a sophisticated 
    understanding of the strategic goals of international terrorist 
    organizations. Their assertion is based on a predilection to view 
    homeland security through an antiseptic, mathematical lens. 
    International terrorism, on the other hand, is a multi-faceted 
    phenomenon that has long-term, strategic goals that go far beyond mere 
    death and destruction. Anybody who has read the history of the French 
    Revolution, during which the term terror was coined, knows that 
    terrorism has never only been about terror. 
    
    Specifically, groups such as al-Qaeda understand the need to strike at 
    America's economy as a means to curtail American military action 
    overseas and to reverse U.S. political support for Israel. To ignore 
    this fact is to ignore the evolutionary nature of terrorist tactics 
    and to appease those who would like to think that all terrorists are, 
    and will forever remain, a mindless horde of thugs living a 
    hand-to-mouth existence in caves in Afghanistan. 
    
    The security appeasers want to ignore the facts: al-Qaeda's history of 
    studying the use of modern technologies and its reliance on operatives 
    with degrees in engineering; laptop computers seized around the world 
    that contained evidence of al-Qaeda's interest in the computer systems 
    that control the electric power grid in the U.S. and other critical 
    infrastructures; the continued radicalization of young people who are 
    studying mathematics, computer science and engineering; and the 
    statements by Osama bin Laden and other radical Islamic clerics 
    outlining the usefulness of attacks against the "technical systems" of 
    large companies and the stock market. 
    
    A large part of the intellectual inflexibility surrounding the IT 
    security community's reluctance to accept cyber-terrorism as a clear 
    and present danger (not to mention the broader concept of 
    cyber-terrorism as a physical phenomenon) is a cultural reluctance to 
    accept terrorist organizations as thinking enemies capable of adapting 
    to the modern world. Such intellectual rigidity also stems from a lack 
    of understanding of the strategic goals of groups such as al-Qaeda and 
    why attacks against critical cyber infrastructures support those 
    goals. 
    
    This is not to say, however, that mass casualty attacks no longer play 
    a role in global terrorism. What most observers fail to recognize is 
    that fear and uncertainty are central themes of cyber-terrorism. 
    Attacks on the financial infrastructure can create uncertainty and 
    loss of confidence. Digital attacks on water systems that cause 
    dangerous levels of chlorine to be released into drinking water can 
    create fear in people who once felt secure from such remote enemies. 
    The potential scenarios are endless, but all are economic in nature. 
    
    But perhaps the most dangerous example of the IT security community's 
    intellectual bankruptcy is the refusal to recognize that tomorrow's 
    terrorist threat will not necessarily look and act like today's 
    terrorist threat. In addition to the radical elements within the 
    Pakistani Directorate for Inter-Services Intelligence (ISI), one can 
    find future cyber-terrorists in the thousands of young Muslim children 
    are often fed a daily dose of hatred for America along with their 
    studies in computer science, mathematics and engineering. In addition, 
    one could also find ample evidence of bin Laden's computer hackers 
    throughout the growing community of unemployed Russian scientists; or 
    within organized crime syndicates in Russia, Malaysia, Italy, China, 
    Japan, Columbia, or Mexico. 
    
    But how long must we wait for the IT security community to start 
    thinking about and preparing for this threat? Will we have to wait 
    another eight years, as we did prior to Sept. 11, 2001 when the first 
    clear signs emerged that al-Qaeda was studying the use of commercial 
    airliners as precision strike weapons? If we continue to listen to 
    those in the IT security community who continue to prop-up an outdated 
    understanding of international terrorism, we will once again be caught 
    by surprise because we will have put our fate in the hands of people 
    who are ignorant to the tectonic shifts of modern international 
    terrorism. 
    
    To not accept the evolving nature of the terrorist threat is to simply 
    wish it away. And hope is not a sound basis for a critical 
    infrastructure protection policy in the 21st century.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 04 2004 - 05:28:41 PST