Original article:

From: Richard Forno (rforno@infowarrior.org)
To: bwallace@sfchronicle.com
Date: Tue, 13 Nov 2001 14:09:58 -0500
Subject: comments on your sfchronicle piece

Bill -

A few comments on cyberterrorism.

Terrorists are by definition low-tech brutes. They know full well that
darkened computer screens, folks unable to buy books online, and degraded
Net performance is not going to scare folks with the same visceral fear seen
around dinner tables across the globe after 09-11's events.

Cyber-terrorism is an over-hyped, sensational topic that has little basis in
reality. While your incident examples did occur, what nobody is talking
about is the more critical problem that instead of pointing fingers at
"terrorists" and "hackers" we need to revisit and modify our security
planning and posturing to prevent such attacks from happening. It's nowhere
as critical or dangerous as "bioterrorism" or "nuclear terrorism" is, for

A few specifics:

- Alexander's claim that cyberterrorism is the most "insidious form" of
terrorist acts is plain wrong. The most insidious form of terrorism is what
causes the most death, destruction, and paints the most graphic picture to
panic the populace - that's what terrorism does. Dark computer screens don't
do it, and news reports of such events don't scare folks like watching
falling buildings in midtown Manhattan. Twenty years from now, people won't
remember exactly where they were when the ILOVEYOU virus struck them, but
you can be damn sure they' ll remember and vividly recall where they were
when Liberty Plaza was decimated.

- Penetrating a bank system or some other system does not automatically make
someone a terrorist. It's a computer criminal act, sure - but not
necessarily a terrorist one.

- The NATO event was on their public sites, to my knowledge, it did not
disrupt military operations or sensitive communications. If it did, perhaps
an argument could be made that it was 'cyber-terror'

- Email spamming as cyberterrorism? Perhaps if someone dies as a result, but
that's not very likely at all. That's a computer criminal action, not a
terrorist one.

My point is that spinning up the "evil cyber-terrorist" angle is akin to
trying to point the blame for information security problems on someone else
instead of accepting responsibility for the IT quagmire we're seeing on a
daily basis. 

I respectfully submit these bullets for your consideration on follow-up

- If something's deemed "critical' (eg, air traffic control systems) why is
it on a public network or have unsecured modem dial-in capabilities? As with
government secrets, if you accept the responsibility for such delicate
items, you also accept the associated responsibility to place security ahead
of convienience when dealing with that item.

- Standardizing systems on a proven buggy, insecure, exploitable and
unreliable operating system from a single vendor is a national security
accident waiting to happen. Diversification of operating systems and
software is critical so that one single attack/vendor/vector can't cause
catastrophic damage to an enterprise resource.

- Electronic attacks against computers are a problem, sure - but a minor one
compared to the poor state of physical security surrounding them

- Mike Vatis is a proven fear-monger, responsible for pissing off more
private sector folks with his "sky is falling" approach to IT security. He
was the primary person in the government to sensationalize this issue in the
late 1990s.

I hope my comments are useful - feel free to contact me with any questions.

Rick Forno
Arlington, VA

main page ATTRITION feedback