IP: Peril of online terror ignored

[David Farber <dave () farber net>]

Peril of online terror ignored
12/22/2001
By TOM SIEGFRIED / The Dallas Morning News
WEST LAFAYETTE, Ind. – Somehow, terrorism in cyberspace doesn't seem to 
belong in the same league with the bio, chemical, and explosive varieties.
E-mail delays and Web-page breakdowns just aren't as terrifying as anthrax 
attacks or airplane hijackings. More elaborate electronic evils can be 
imagined, but they don't strike most people as serious threats.
"Certainly there are things that can be done to cause damage and even 
death," says computer security expert Eugene Spafford. But deadly 
cyberattacks in isolation don't look likely.
On the other hand, cyberterror might be a powerful way to magnify the 
terror caused by other direct assaults. During a terrorism-induced 
disaster, cyberterrorists might disable the 911 emergency system or cut off 
the water supply or shut down electric power to an affected area.
"Those would amplify the effects considerably," says Dr. Spafford, of 
Purdue University in West Lafayette.
Hijacking the Internet to spread false information could also add to the 
public's level of panic and anxiety in times of terrorism.
"There are things that could be damaging to individuals, to organizations, 
and to society as a whole," says Dr. Spafford, one of the nation's leading 
experts on information security.
Resources scarce
Yet for all the dangers that cyberterror poses, the problem remains below 
the radar screens of most policy-makers. The nation's resources for 
research into cybersecurity are scarce, and nobody is doing much about 
trying to improve them.
"Very few policy-makers understand the complexity and depth of the 
problems," says Dr. Spafford, who recently testified before Congress on 
these issues.
Formulating a research strategy for solving the nation's 
information-security problems should be a government priority, he believes. 
Yet many officials would rather leave the problems in the hands of private 
industry and the free market.
"There are a number of people in government, at high-level positions of 
policy-making, who believe that the market will produce results," Dr. 
Spafford said in an interview at Purdue. But the free market, he points 
out, encourages cost savings and speed, major reasons why software is so 
full of loopholes for cybercriminals to exploit.
"The whole reason we have this mess is because of the market," Dr. Spafford 
asserts. The faith government officials have in industry is therefore 
misplaced.
"The people who they want to turn to for the solutions are the people who 
caused these problems in the first place," he declares.
Government indifference is only part of the problem. The public as a whole 
has a lackadaisical attitude about cybercrime and even finds some of the 
criminals intriguing.
"As a public, we have to ... stop romanticizing the image of the hacker," 
Dr. Spafford says. The notion that hackers are computer wizards whose magic 
could be turned to society's benefit is bogus, he says.
"They are not experts, in general," Dr. Spafford says. "Systems today are 
so fragile, and there are so few people that understand how to protect 
them, that it's trivial to break into them. So the expertise that these 
folks have is really quite illusory."
Entrusting information security to reformed hackers is therefore not the 
solution. Rather, the nation needs a system for producing serious research 
into how to protect information resources. But current circumstances 
conspire to thwart efforts at establishing a viable research enterprise.
For one thing, computer-science students have very little incentive to 
finish their degrees or, if they get a Ph.D., to teach new students. 
Lucrative offers from industry lure the best and brightest away from 
academia. Those who remain in the academic world have to work on outdated 
equipment for less pay and prestige.
Incentives needed
If there's any hope for the future, Dr. Spafford believes, it will lie in 
developing incentives for better security and in creating a climate that 
sustains long-term research.
"Government and industry have to start thinking about making choices based 
on security and safety and quality, instead of affordability and 
compatibility with what they're already running," he says.
Incentive to think in such terms could come from the insurance industry, he 
suggests. Insurance companies could offer deep premium discounts for 
companies that practice sound computer security – or charge steeper prices 
for anyone using software known to contain security-compromising bugs.
On the research side, Dr. Spafford advises multidisciplinary centers, 
drawing together studies of the diverse factors entering into the computer 
security equation. Computer scientists must collaborate with experts in 
economics, politics, law, and psychology.
Such research must recognize, he says, that the real issue is not 
protecting computers but protecting information and that the human side of 
the equation is as important as the technological side.
"The human element is inadequately addressed at most places," he says. 
"Yes, we would have no computer crime if there were no computers, but we 
would also have no computer crime if there were no people."
In fact, problems commonly attributed to computer error are almost always 
really the fault of people who have provided the computer with faulty 
information or flawed software.
"It's very convenient to blame hardware that can't defend itself," Dr. 
Spafford says. "But that's not where the problem is. Until we get over 
that, I don't think we're going to make a lot of progress."

Online at: 
http://www.dallasnews.com/lifestyles/columnists/tomsiegfried/STORY.eae7fc0bfb.b0.af.0.a4.3e0ca.html
© 2001 DallasNews.com

For archives see:
http://www.interesting-people.org/archives/interesting-people/