users around the world now believe in cyber terrorism-the theory that
terrorists will soon inflict massive casualties on innocent lives by
attacking corporate and governmental computer networks. Now, if only we
could get the terrorists to buy it.
The survey, conducted in 19 major cities around the world by Euro RSCG
Worldwide, an advertising agency network, found that 45% of respondents
agreed completely that "computer terrorism (against corporations and
governments) will be a growing problem." And another 35% agreed somewhat.
I have to admit, I have some doubts about the survey. The vague phrase
"will be a growing problem" leaves a lot of wiggle room -- the problem
certainly can't shrink much, hovering as it is at zero cyber terrorist
incidents per year. And the study also found that netizens' greatest
technology-related fear is "the fusion of humans and computers," with
one-in-four worried that "computers will grow too powerful for people to
control." If you do your polling at a Terminator film festival you'll come
up with all sorts of screwy answers.
But statistics aside, there's no doubt that cyber terror, and its
nation-state equivalent, infowar, is in the zeitgeist. Witness the
feverish, panting diatribes on the subject that have muscled into
mainstream forums in the last two months.
The influential journal Foreign Affairs lent space to a silly rant by
iDefense's James Adams about hackers blacking out cities and killing
emergency 911 systems "with a couple of keystrokes." His point, after a
few mischaracterizations of recent events and liberal use of apocalyptic
imagery, is that the U.S. Defense Department needs to be placed in charge
of protecting all U.S. networks from cyber attack. Cooler heads might
wonder if the Pentagon shouldn't get the hang of securing its own
Meanwhile, no less an authority than The New Yorker assured us in May that
"sophisticated terrorists... now have the ability to crash satellite
systems, to wage economic warfare by unplugging the Federal Reserve system
from Wall Street, even to disrupt the movements of ships at sea."
Finally, the cyber terror hype reached breakfast tables around America
with Andrea Stone's June 19th article in USA Today, titled 'Cyberspace:
The next battlefield'.
"[A]n adversary could use ... viruses to launch a digital blitzkrieg
against the United States. It might send a worm to shut down the electric
grid in Chicago and air-traffic-control operations in Atlanta, a logic
bomb to open the floodgates of the Hoover Dam and a sniffer to gain access
to the funds-transfer networks of the Federal Reserve," writes Stone.
There is a virus at work here, but it's not the troublesome
W32-ShutDownAllPowerInChicago.worm. It's a misinformation virus, and
credulous publishers are playing the role of Microsoft Outlook.
Part of the problem is that no one has a vested interest in debunking the
myth of the information apocalypse. A little doom-saying doesn't hurt the
computer security industry, the Defense Department could always use a
little extra cash from Congress, hackers enjoy their image as dangerous
terrorists whose very fingertips are deadly weapons, and journalists like
writing things like "digital blitzkrieg" and "information apocalypse."
Adding to the mess, some defense planners actually believe this stuff.
Hidden behind language like "asymmetric warfare" is a textbook
demonstration of fallacy from a Logic 101 course:
1. Computers can be disrupted by viruses.
2. The power grid is controlled by computers.
3. Therefore, terrorists and foreign governments can cause massive
blackouts with viruses.
National security planners see deadly logic bombs raining down on Chicago
-- it works that way with real bombs, after all. This is high-level
thinking. Really high, where the air is thin and the real nature of cyber
attacks isn't visible.
A more down to earth 'Electric Power Risk Assessment' conducted by the
Clinton White House's National Security Telecommunications Advisory
Committee in 1997 found that the power grid was indeed vulnerable to
computer intruders. However, "Despite the growing concern about cyberspace
attacks, the physical destruction of utility infrastructure elements is
still the predominant threat to electric utilities," reads the report.
To cause even a brief, regional blackout cyber terrorists would have to
find a path to control networks that are usually isolated from the
Internet. They would spend time conducting critical node analyses, learn
to communicate with remote telemetry systems using proprietary,
undocumented protocols, and all the while avoid detection for weeks, or
even months, while building and maintaining their access.
We'd live in a more peaceful world if terrorists spent their time hunched
over PCs looking at hex dumps of SCADA traffic.
Sadly, ten years after pundits first predicted an "Electronic Pearl
Harbor," terrorists still aren't buying it. They refuse to give up
violence in favor of computer hacking. Maybe they don't read USA Today.
They still stubbornly swear by explosives. They continue to favor sneak
attacks over the kind that can be picked up by intrusion detection
systems. They go for the assaults that are effective even if the victims
are doing everything right, instead of the kind that exploit buggy
software and configuration errors. And they prefer loss of life over loss
of electrical power.
They probably don't believe in cyborgs either. By Kevin Poulsen