Cyberterrorists: our invisible enemies

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/comment/0,5859,2814190,00.html

By Rob Fixmer, Interactive Week
September 24, 2001 5:19 AM PT

COMMENTARY--As Attorney General John Ashcroft fielded reporters'
questions last Tuesday about the attack on the World Trade Center and
the Pentagon, one journalist asked if a new computer worm, discovered
only hours earlier, was in any way related to the terrorist strikes.
It was not, Ashcroft assured the nation--or at least, there was as yet
no evidence linking it to Osama bin Laden and his ilk.

Somehow that was not altogether reassuring. Yes, it suggested that the
same evil minds who plotted the deaths of thousands and the
destruction of our national icons in a relatively low-tech assault had
not evinced the technological sophistication to attack our computer
networks. Not yet, anyway.

But it also reminded us that the numbers of our invisible enemies are
growing each day, turning our commitment to freedom and openness into
sundry weapons capable of destroying us.

It is no exaggeration to describe the creation of computer viruses and
worms as terrorism. While none has yet threatened loss of life, as our
culture grows increasingly dependent on the network of networks to
organize and maintain our social, commercial, military and political
institutions, some highly sophisticated worm will eventually wield
deadly powers. It will not kill through physical assault, but through
deprivation - emergency supplies cut off, urgent calls for help
unheard, defenses unplugged. It will kill by throwing crucial
institutions into chaos by simply erasing or corrupting the data on
which we increasingly depend for daily sustenance.

As the world's political leaders counsel patience and perseverance in
a type of war never before waged, we risk enormous peril if we take
our eyes off the cyberfront. In some ways, digital terrorism will be
even harder to combat than suicide bombers and elusive snipers--first,
because the attackers are often armies of one whose motivation is
unknown, and second, because so much of our aggregate defenses depends
on private companies whose allegiances will always be divided between
social responsibility and profits.

As intoxicated as we've become with the notion that the market must
decide all things commercial, software developers have proven
themselves to be socially irresponsible by consistently releasing
products that are vulnerable to attack. Surely, the leaders of the
computer industry--men and women cited as visionaries at every
opportunity--have realized that network terrorism is an escalating
war. It's time to adopt and enforce industry standards with enough
teeth to make them stick.

That said, before we start pointing fingers at Microsoft, I suggest we
take a long hard look in the mirror. How many of us have been vigilant
in applying the patches developers have made readily available--often
proactively? How many of us have circumvented password protections
because we couldn't be bothered? How many can say we have been
completely vigilant in monitoring firewalls and network diagnostics?
How many of us, in fact, have been asleep at the wheel?

It's not Microsoft's job to protect us from ourselves, from our
inertia or our unwillingness to invest human and capital resources in
our own barricades. It's not Microsoft's job to force ISPs to wage a
cooperative war on denial-of-service attacks. Nor can Microsoft, as
large as it is, act as the world's software police or central
administrator of defensive information. That role lies with industry
and government, which have so far compiled a very sorry record in
collaborating against cyberterrorism.

And finally, a great deal of responsibility lies with the hacker
community, which consistently criticizes worm and virus attacks and
denies any responsibility for their existence, but in truth condones a
shadowy subculture that nurtures these terrorists. Three years ago,
IBM sponsored a daylong seminar on cyberforensics at its headquarters
in Armonk, N.Y. The event drew some of the brightest lights in the
hacker world, but when one speaker attempted to distinguish between
"black hat" and "white hat" hackers, he was booed. Hacking was "not
about morality," one member of the audience shouted.

In the immortal words of Harry Truman: bullshit! There are no moral
shades of gray here. We cannot condone the argument put forth by
social misfits at keyboards that Microsoft products must be attacked
to expose their vulnerabilities. Everyone knows there are responsible
ways to hack a product. Releasing a worm or otherwise attacking an
undefended network is not among them. It's time the hacker community
weeded out the evil in its midst.

The bottom line is that we are already engaged in an escalating
confrontation that holds frightening consequences for our economy,
culture and well-being. Winning the war against cyberterrorism will
require never-ending vigilance--and patience and perseverance--on the
part of all of us.

Rob Fixmer is Editor-in-Chief of Interactive Week. He can be reached
at rob_fixmer () ziffdavis com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.