[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Hacker threat seen as overdone

Forwarded from: William Knowles <wk@xxxxxxx>


By Fred Reed
December 26, 2002

Much has been made, including money by the sale of books, of the
supposed vulnerability of the United States to cyber-terrorism. The
idea is that various bad guys could hack into the national
infrastructure, meaning things like the electric grid, water supplies
and air traffic control, to "bring the country to its knees."
Such a threat is overblown, says James Lewis, of the Center for
Strategic and International Studies, in a paper published this month.
Mr. Lewis makes a distinction between computer networks in general and
critical infrastructure. He says, "a brief review suggests that while
many computer networks remain very vulnerable to attack, few critical
infrastructures are equally vulnerable." To bring the country down
even briefly, terrorists would have to do serious damage to critical
systems, not just make nuisances of themselves.
Mr. Lewis makes several points. One is that there is a difference
between being a pest and causing strategically serious damage.  
Bollixing up administrative systems, for example, would have no
strategic importance. Nor would it terrify anyone.
Second, the American infrastructure is much more robust than terror
mongers would have us think. Failure and disruption are already a
routine fact of infrastructural life and cause no more than
For example, storms drop trees on power lines, causing widespread loss
of power for a few hours. It's irritating but strategically
insignificant. Water mains break, a new computer worm causes trouble,
a radar fails in an air-traffic control center. The system, says Mr.  
Lewis, is designed to work around and repair these disruptions.
Years back, having been told how vulnerable to hackers the air-traffic
control system was, I called an airport to ask. The response was,
first, that the actual direction of traffic isn't on the Internet and
second, that if hackers somehow disabled the electric grid, the
airport would use its back-up generators.
Well, how vulnerable is the electric grid?
Says Mr. Lewis: "Many analyses have cyberterrorists shutting down the
electrical power system. One of the better cyber-security surveys
found that power companies are a primary target for cyber-attacks, and
that 70 percent of these companies had suffered a severe attack in the
first six months of 2002," Yet, he says, none has caused an outage.
A point Mr. Lewis doesn't explicitly make: The underlying assumption
in most of the cyber-doom predictions is that everyone but is stupid.
Oddly enough, the people in charge of important infrastructure have
thought of the obvious. The electrical engineers who run power
networks have heard of computers. They have thought about these
Suppose computer terrorists wanted to disrupt the water supply, which
has been suggested as a danger. Mr. Lewis notes that the United States
has 54,064 different water-supply systems. That's a lot of targets to
attack. Some are more important than others: Of the total, he says,
353 serve 40 percent of the population. Brief disruptions of water
supplies do not threaten the national security.
Is the military at risk? Mr. Lewis says, " while there were many
attacks against U.S. military computer networks during operations in
Kosovo, these attacks did not result in sorties being canceled or in a
single casualty."
An assumption I have noticed in disaster scenarios is that if a
terrorist can disrupt a network's computers, the network is destroyed.  
Actually, computers fail frequently, whereupon the engineers reload
from backups and life goes on.
His conclusion: "The sky is not falling, and cyber-weapons seem to be
of limited value in attacking national power or intimidating

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.