'Black Ice: The Invisible Threat of Cyber-Terrorism' by Dan Verton

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A31867-2003Aug7.html

BLACK ICE 
The Invisible Threat of Cyber-Terrorism 
By Dan Verton
McGraw-Hill/Osborne. 312 pp. $24.99 

Reviewed by Clive Thompson
Sunday, August 10, 2003; Page BW04 

Not long ago, cyber-terrorists were Public Enemy Number One. In the
summer of 2000, a malicious, reclusive hacker released a computer
virus called "I Love You" that raced around the globe, destroying $10
billion worth of data. Spies worldwide scrambled to hunt him down, and
newspapers ran horrified above-the-fold coverage. Cyberspace seemed
like the scariest place on Earth.

Then two planes flew into the World Trade Center -- and the real,
physical world became instantly scarier. Terrorists were real, but
they weren't invading our desktops, and they weren't even very
technologically innovative. On the contrary, their tools of choice --
box cutters -- were so savage and low-fi they wouldn't have been out
of place in an invasion of a suburban home.

Explosions, destroyed buildings -- that's the stuff that scares the
pants off America. So ever since Sept. 11, it's been hard to get
worked up about hackers, viruses and digital mayhem. It all seems like
a narcissistic indulgence of the dot-com era, when the Internet was
the biggest thing going. When a Manhattan friend recently saw me
reading a copy of Black Ice, he scoffed: "That stuff is crap. They're
not gonna attack us on the 'Net. They're going to set off car bombs in
Times Square. They want dead bodies."

This, in a nutshell, is what the book's author, Dan Verton, is up
against. Because he argues that terrorists are indeed developing a new
generation of cyberattacks -- and they'll be far worse than anything
we could imagine, precisely because we aren't guarding against them.  
Verton is as credible a digital Cassandra as you can get; he is a
former intelligence officer, and his superb investigative journalism
for Computerworld magazine recently forced American Airlines to clamp
down on its lax wireless technology, which left bag-checking devices
open to be messed with.

Some of the examples Verton unearths are certainly spooky. Back in
1996, a Swedish teenager remotely generated so many calls to 911 in
southern Florida that he tied up the system. Another hacker today is
developing a virus that can commandeer mobile phones and have them
similarly flood 911 with phantom calls. Or consider the power grid: In
the six months following the World Trade Center attacks, security
companies logged 129,000 intrusions, many of which "appeared to be
sponsored by governments or organizations in the Middle East," as
Verton darkly notes. Imagine no electricity for, say, an entire week:  
food rotting, crime surging, no phones, and business ground to a halt.

Which is Verton's point: Genuine cyberterrorism will be as physical as
a punch to the gut. Who cares about teenage hackers defacing Web sites
with misspelled taunts and pictures of porn stars? Let 'er rip, kids.  
You're only hurting our browsers. Al Qaeda, Verton suggests, would use
the virtual world merely as a vehicle with which to attack the real
one, and leave plenty of dead bodies. Verton envisions "swarming
attacks," combinations of virtual and physical blows: A dirty bomb
blows up in Washington, D.C., while a cyberattack wreaks havoc at the
nearby hospitals.

And whoops -- as Verton discovers, those hospital computers aren't
terribly well guarded. Neither are those of banks, airline systems and
most utilities. This is because they're for-profit concerns, and,
frankly, security is expensive and inefficient and cuts down on
profits. This is a weird turning point in national security. In the
old days, the government controlled the important borders of sea, air
and land. But now, folks like Merrill Lynch and Verizon -- and, for
that matter, you sitting there at your computer -- control the data
borders. For the first time, a big part of national security is at the
mercy of a rather indifferent free market. This is not to suggest that
massive government regulation would be a necessarily better answer; it
was, after all, the Bush administration that out-Orwelled Orwell by
patching together the Total Information Awareness program. Just
imagine the government's paranoid clampdown after the first big
terrorist cyberstrike takes place.

Or, should I say, if it takes place. In the end, Verton never offers
up a smoking gun. There may well be Al Qaeda hackers out there
perfecting evil ways to commandeer air-traffic-control systems. But if
there are, we never meet them via any first-hand reporting. Verton
doesn't wear out his shoe leather hunting through Afghanistan and
Pakistan for these guys; indeed, he rarely seems to leave his desk.  
Rather, he relies hawkishly on government reports that nervously
prophesy cyberchaos. And these reports are, unfortunately, maddeningly
hypothetical: This terribly-bad-thing might happen; that
even-more-awful-thing could take place. This makes them somewhat hard
to trust, in the wake of our "Where's Waldo?" hunt for Iraq's supposed
weapons of mass destruction. Trumping up threats to keep defense
budgets fat is the oldest game played by Pentagon insiders.

Still, as a longtime computer geek, I've seen how brittle, complex and
friable computer systems can be. It's possible that Verton is simply
wrong. But if he's right . . . we'll pine for the days when the worst
thing a virus could do was waste $10 billion. •

Clive Thompson writes for Wired, the New York Times Magazine and
Details. He can be reached at clive () clivethompson net.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.