I thought this article from the latest Cryptogram was interesting.
-----Forwarded Message-----
From: Bruce Schneier <schneier@private>
To: crypto-gram@private
Subject: CRYPTO-GRAM, June 15, 2003
Date: 15 Jun 2003 05:15:48 -0500
CRYPTO-GRAM
June 15, 2003
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@private
<http://www.counterpane.com>
[snip]
** *** ***** ******* *********** *************
The Risks of Cyberterrorism
The threat of cyberterrorism is causing much alarm these days. We have
been told to expect attacks since 9/11; that cyberterrorists would try
to cripple our power system, disable air traffic control and emergency
services, open dams, or disrupt banking and communications. But so
far, nothing's happened. Even during the war in Iraq, which was
supposed to increase the risk dramatically, nothing happened. The
impending cyberwar was a big dud. Don't congratulate our vigilant
security, though; the alarm was caused by a misunderstanding of both
the attackers and the attacks.
These attacks are very difficult to execute. The software systems
controlling our nation's infrastructure are filled with
vulnerabilities, but they're generally not the kinds of vulnerabilities
that cause catastrophic disruptions. The systems are designed to limit
the damage that occurs from errors and accidents. They have manual
overrides. These systems have been proven to work; they've experienced
disruptions caused by accident and natural disaster. We've been
through blackouts, telephone switch failures, and disruptions of air
traffic control computers. In 1999, a software bug knocked out a
nationwide paging system for a day. The results might be annoying, and
engineers might spend days or weeks scrambling, but the effect on the
general population has been minimal.
The worry is that a terrorist would cause a problem more serious than a
natural disaster, but this kind of thing is surprisingly hard to
do. Worms and viruses have caused all sorts of network disruptions,
but it happened by accident. In January 2003, the SQL Slammer worm
disrupted 13,000 ATMs on the Bank of America's network. But before it
happened, you couldn't have found a security expert who understood that
those systems were dependent on that vulnerability. We simply don't
understand the interactions well enough to predict which kinds of
attacks could cause catastrophic results, and terrorist organizations
don't have that sort of knowledge either -- even if they tried to hire
experts.
The closest example we have of this kind of thing comes from Australia
in 2000. Vitek Boden broke into the computer network of a sewage
treatment plant along Australia's Sunshine Coast. Over the course of
two months, he leaked hundreds of thousands of gallons of putrid sludge
into nearby rivers and parks. Among the results were black creek
water, dead marine life, and a stench so unbearable that residents
complained. This is the only known case of someone hacking a digital
control system with the intent of causing environmental harm.
Despite our predilection for calling anything "terrorism," these
attacks are not. We know what terrorism is. It's someone blowing
himself up in a crowded restaurant, or flying an airplane into a
skyscraper. It's not infecting computers with viruses, forcing air
traffic controllers to route planes manually, or shutting down a pager
network for a day. That causes annoyance and irritation, not terror.
This is a difficult message for some, because these days anyone who
causes widespread damage is being given the label "terrorist." But
imagine for a minute the leadership of al Qaeda sitting in a cave
somewhere, plotting the next move in their jihad against the United
States. One of the leaders jumps up and exclaims: "I have an
idea! We'll disable their e-mail...." Conventional terrorism --
driving a truckful of explosives into a nuclear power plant, for
example -- is still easier and much more effective.
There are lots of hackers in the world -- kids, mostly -- who like to
play at politics and dress their own antics in the trappings of
terrorism. They hack computers belonging to some other country
(generally not government computers) and display a political
message. We've often seen this kind of thing when two countries
squabble: China vs. Taiwan, India vs. Pakistan, England vs. Ireland,
U.S. vs. China (during the 2001 crisis over the U.S. spy plane that
crashed in Chinese territory), the U.S. and Israel vs. various Arab
countries. It's the equivalent of soccer hooligans taking out national
frustrations on another country's fans at a game. It's base and
despicable, and it causes real damage, but it's cyberhooliganism, not
cyberterrorism.
There are several organizations that track attacks over the
Internet. Over the last six months, less than 1% of all attacks
originated from countries on the U.S. government's Cyber Terrorist
Watch List, while 35% originated from inside the United
States. Computer security is still important. People overplay the
risks of cyberterrorism, but they underplay the risks of
cybercrime. Fraud and espionage are serious problems. Luckily, the
same countermeasures aimed at cyberterrorists will also prevent hackers
and criminals. If organizations secure their computer networks for the
wrong reasons, it will still be the right thing to do.
** *** ***** ******* *********** *************
This archive was generated by hypermail 2b30 : Sun Jun 15 2003 - 18:06:18 PDT