CRIME [Fwd: CRYPTO-GRAM, June 15, 2003]

From: Alan (alan@private)
Date: Sun Jun 15 2003 - 17:57:14 PDT

  • Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 6/16/03"

    I thought this article from the latest Cryptogram was interesting.
    
    
    -----Forwarded Message-----
    
    From: Bruce Schneier <schneier@private>
    To: crypto-gram@private
    Subject: CRYPTO-GRAM, June 15, 2003
    Date: 15 Jun 2003 05:15:48 -0500
    
                      CRYPTO-GRAM
    
                     June 15, 2003
    
                   by Bruce Schneier
                    Founder and CTO
           Counterpane Internet Security, Inc.
                schneier@private
              <http://www.counterpane.com>
    
    [snip]
    
    ** *** ***** ******* *********** *************
    
              The Risks of Cyberterrorism
    
    
    
    The threat of cyberterrorism is causing much alarm these days.  We have 
    been told to expect attacks since 9/11; that cyberterrorists would try 
    to cripple our power system, disable air traffic control and emergency 
    services, open dams, or disrupt banking and communications.  But so 
    far, nothing's happened.  Even during the war in Iraq, which was 
    supposed to increase the risk dramatically, nothing happened.  The 
    impending cyberwar was a big dud.  Don't congratulate our vigilant 
    security, though; the alarm was caused by a misunderstanding of both 
    the attackers and the attacks.
    
    These attacks are very difficult to execute.  The software systems 
    controlling our nation's infrastructure are filled with 
    vulnerabilities, but they're generally not the kinds of vulnerabilities 
    that cause catastrophic disruptions.  The systems are designed to limit 
    the damage that occurs from errors and accidents.  They have manual 
    overrides.  These systems have been proven to work; they've experienced 
    disruptions caused by accident and natural disaster.  We've been 
    through blackouts, telephone switch failures, and disruptions of air 
    traffic control computers.  In 1999, a software bug knocked out a 
    nationwide paging system for a day.  The results might be annoying, and 
    engineers might spend days or weeks scrambling, but the effect on the 
    general population has been minimal.
    
    The worry is that a terrorist would cause a problem more serious than a 
    natural disaster, but this kind of thing is surprisingly hard to 
    do.  Worms and viruses have caused all sorts of network disruptions, 
    but it happened by accident.  In January 2003, the SQL Slammer worm 
    disrupted 13,000 ATMs on the Bank of America's network.  But before it 
    happened, you couldn't have found a security expert who understood that 
    those systems were dependent on that vulnerability.  We simply don't 
    understand the interactions well enough to predict which kinds of 
    attacks could cause catastrophic results, and terrorist organizations 
    don't have that sort of knowledge either -- even if they tried to hire 
    experts.
    
    The closest example we have of this kind of thing comes from Australia 
    in 2000.  Vitek Boden broke into the computer network of a sewage 
    treatment plant along Australia's Sunshine Coast.  Over the course of 
    two months, he leaked hundreds of thousands of gallons of putrid sludge 
    into nearby rivers and parks.  Among the results were black creek 
    water, dead marine life, and a stench so unbearable that residents 
    complained.  This is the only known case of someone hacking a digital 
    control system with the intent of causing environmental harm.
    
    Despite our predilection for calling anything "terrorism," these 
    attacks are not.  We know what terrorism is.  It's someone blowing 
    himself up in a crowded restaurant, or flying an airplane into a 
    skyscraper.  It's not infecting computers with viruses, forcing air 
    traffic controllers to route planes manually, or shutting down a pager 
    network for a day.  That causes annoyance and irritation, not terror.
    
    This is a difficult message for some, because these days anyone who 
    causes widespread damage is being given the label "terrorist."  But 
    imagine for a minute the leadership of al Qaeda sitting in a cave 
    somewhere, plotting the next move in their jihad against the United 
    States.  One of the leaders jumps up and exclaims: "I have an 
    idea!  We'll disable their e-mail...."  Conventional terrorism -- 
    driving a truckful of explosives into a nuclear power plant, for 
    example -- is still easier and much more effective.
    
    There are lots of hackers in the world -- kids, mostly -- who like to 
    play at politics and dress their own antics in the trappings of 
    terrorism.  They hack computers belonging to some other country 
    (generally not government computers) and display a political 
    message.  We've often seen this kind of thing when two countries 
    squabble: China vs. Taiwan, India vs. Pakistan, England vs. Ireland, 
    U.S. vs. China (during the 2001 crisis over the U.S. spy plane that 
    crashed in Chinese territory), the U.S. and Israel vs. various Arab 
    countries.  It's the equivalent of soccer hooligans taking out national 
    frustrations on another country's fans at a game.  It's base and 
    despicable, and it causes real damage, but it's cyberhooliganism, not 
    cyberterrorism.
    
    There are several organizations that track attacks over the 
    Internet.  Over the last six months, less than 1% of all attacks 
    originated from countries on the U.S. government's Cyber Terrorist 
    Watch List, while 35% originated from inside the United 
    States.  Computer security is still important.  People overplay the 
    risks of cyberterrorism, but they underplay the risks of 
    cybercrime.  Fraud and espionage are serious problems.  Luckily, the 
    same countermeasures aimed at cyberterrorists will also prevent hackers 
    and criminals.  If organizations secure their computer networks for the 
    wrong reasons, it will still be the right thing to do.
    
    
    ** *** ***** ******* *********** *************
    



    This archive was generated by hypermail 2b30 : Sun Jun 15 2003 - 18:06:18 PDT