Original article:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2001/11/12/MN29929.DTL
From: Richard Forno (rforno@infowarrior.org) To: bwallace@sfchronicle.com Date: Tue, 13 Nov 2001 14:09:58 -0500 Subject: comments on your sfchronicle piece Bill - A few comments on cyberterrorism. Terrorists are by definition low-tech brutes. They know full well that darkened computer screens, folks unable to buy books online, and degraded Net performance is not going to scare folks with the same visceral fear seen around dinner tables across the globe after 09-11's events. Cyber-terrorism is an over-hyped, sensational topic that has little basis in reality. While your incident examples did occur, what nobody is talking about is the more critical problem that instead of pointing fingers at "terrorists" and "hackers" we need to revisit and modify our security planning and posturing to prevent such attacks from happening. It's nowhere as critical or dangerous as "bioterrorism" or "nuclear terrorism" is, for sure. A few specifics: - Alexander's claim that cyberterrorism is the most "insidious form" of terrorist acts is plain wrong. The most insidious form of terrorism is what causes the most death, destruction, and paints the most graphic picture to panic the populace - that's what terrorism does. Dark computer screens don't do it, and news reports of such events don't scare folks like watching falling buildings in midtown Manhattan. Twenty years from now, people won't remember exactly where they were when the ILOVEYOU virus struck them, but you can be damn sure they' ll remember and vividly recall where they were when Liberty Plaza was decimated. - Penetrating a bank system or some other system does not automatically make someone a terrorist. It's a computer criminal act, sure - but not necessarily a terrorist one. - The NATO event was on their public sites, to my knowledge, it did not disrupt military operations or sensitive communications. If it did, perhaps an argument could be made that it was 'cyber-terror' - Email spamming as cyberterrorism? Perhaps if someone dies as a result, but that's not very likely at all. That's a computer criminal action, not a terrorist one. My point is that spinning up the "evil cyber-terrorist" angle is akin to trying to point the blame for information security problems on someone else instead of accepting responsibility for the IT quagmire we're seeing on a daily basis. I respectfully submit these bullets for your consideration on follow-up pieces: - If something's deemed "critical' (eg, air traffic control systems) why is it on a public network or have unsecured modem dial-in capabilities? As with government secrets, if you accept the responsibility for such delicate items, you also accept the associated responsibility to place security ahead of convienience when dealing with that item. - Standardizing systems on a proven buggy, insecure, exploitable and unreliable operating system from a single vendor is a national security accident waiting to happen. Diversification of operating systems and software is critical so that one single attack/vendor/vector can't cause catastrophic damage to an enterprise resource. - Electronic attacks against computers are a problem, sure - but a minor one compared to the poor state of physical security surrounding them - Mike Vatis is a proven fear-monger, responsible for pissing off more private sector folks with his "sky is falling" approach to IT security. He was the primary person in the government to sensationalize this issue in the late 1990s. I hope my comments are useful - feel free to contact me with any questions. Rick Forno Arlington, VA infowarrior.org