Re: Hacker threat seen as overdone

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

> Such a threat is overblown, says James Lewis, of the Center for
> Strategic and International Studies, in a paper published this
> month.

It's about bloody time others start saying this. I'm so sick of
politicos, corporations, special interests, (and their paid-for
think-tanks) preaching the Chicken Little message.  I can't wait to
read their report to see if it truly supports this position.

For the past year, I've said the same thing to my military audiences
at NDU in Washington.

I particularly despise Sen Shumer (D-NY) who believes that if someone
hacked the FAA, airplanes would fall from the sky. Good ol' Bud
forgets that planes have a really good backup system called "pilot"
and "co-pilot" and that a sudden loss of FAA systems probably won't
have planes crashing....after all, the systems are so old anyway that
they go up and down like a yo-yo, and most commercial pilots have had
to deal with that 'feature' of air travel.

> Mr. Lewis makes a distinction between computer networks in general
> and critical infrastructure. He says, "a brief review suggests that
> while many computer networks remain very vulnerable to attack, few
> critical infrastructures are equally vulnerable." To bring the
> country down even briefly, terrorists would have to do serious
> damage to critical systems, not just make nuisances of themselves.

AMEN!  Amazon getting hacked or DoJ getting defaced isn't a critical
national security problem. Now, a "critical infrastructure" such as
water plants or financial systems, that's a different thing. Anyone
who thinks otherwise is an idiot and shouldn't be in a position of
national leadership.

> Mr. Lewis makes several points. One is that there is a difference
> between being a pest and causing strategically serious damage.
> Bollixing up administrative systems, for example, would have no
> strategic importance. Nor would it terrify anyone.

An Islamic terrorist won't say "Allah be praised, the NASDAQ is
crashed! The Americans are scared of us!"  -- it's much more effective
to crash a few planes into buildings and watch the viseral,
gut-wrenching fear that results, which is FAR more effective and FAR
more easy to do than hack something.

0911 was done for under $150K according to some reports, and if you
think about it, the terrorists got a heck of a return for their
investment, far more than they could hope to achive in a 'cyberwar'
attack.

> Second, the American infrastructure is much more robust than terror
> mongers would have us think. Failure and disruption are already a
> routine fact of infrastructural life and cause no more than
> inconvenience.

Yup. I join those who say last month's DDOS attack on the root servers
was highly-overblown by the media. DNS still functioned. Even if the
roots went down, you can still navigate & send mail via IP address --
the root servers just make it a bit easier for people not to have to
remember zillions of different IP addresses.  Sure, a 'new' or
'modified' domain name might not be accessible, but the net will still
function.

> For example, storms drop trees on power lines, causing widespread
> loss of power for a few hours. It's irritating but strategically
> insignificant. Water mains break, a new computer worm causes
> trouble, a radar fails in an air-traffic control center. The system,
> says Mr. Lewis, is designed to work around and repair these
> disruptions.

Jeepers, this guy must've read my SecurityFocus column "Shredding The
Paper Tiger of Cyberterrorism."

http://online.securityfocus.com/columnists/111

> A point Mr. Lewis doesn't explicitly make: The underlying assumption
> in most of the cyber-doom predictions is that everyone but is
> stupid.

No, the folks who believe in cyberterrorism are stupid, ignorant,
FUD-following sheep. And companies that sell 'cybersecurity
intelligence' to help protect against 'cyberterrorism' are only
fleecing their clueless clients.

The cyberterrorist threat is a sensational concept based on FUD,
ignorance, and hype....and believed to be true by the same politicos
who think "Swordfish" was a realistic movie about INFOSEC.

If we're going to say there are cyberterrorists, then we've got to
start saying 0911 was the result of aeroterrorists. The manner in
which the attack is carried out doesn't matter -- terrorism is
terrorism is terrorism.

As George Carlin might say, "there are no cyberterrorists."

In this case, instead of accepting responsibility for our actions (or
inactions) regarding INFOSEC, we point fingers at anyone else - such
as phantom cyberterrorists - to avoid responsibility and
accountability. It's nothing more than the latest version of Passing
The Buck.  We see INFOSEC incidents occur regularly because WE MAKE IT
EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVES....either
through poor management, bad system/network administration and design,
or shoddy software.

> His conclusion: "The sky is not falling, and cyber-weapons seem to
> be of limited value in attacking national power or intimidating
> citizens."

Here, here.

Rick
Infowarrior.org



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.