Cyber-terror drama skates on thin Black Ice

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/35816.html

[ http://www.amazon.com/exec/obidos/ASIN/0072227877/c4iorg  - WK]

By Thomas C Greene in Washington
Posted: 25/02/2004 

Computerworld columnist Dan Verton has covered the security beat for 
several years. He has recently weighed in on the cyber-terror 
discussion with a book called Black Ice: The Invisible Threat of 
Cyber-Terrorism. 

Verton gets off to a good start in his introduction, where he notes 
that physical attacks against high-value communications infrastructure 
are an important area of concern. He also suggests that the 
destructive effects of a physical terror attack could be intensified 
by a simultaneous attack against local communications infrastructure 
by hampering rescue efforts. At that point, I was anticipating a 
balanced discussion of the threats and risks associated with cyber 
terror, which is, after all, something that has never occurred. 

Unfortunately, the book soon loses its balance and tips increasingly 
in the direction of paranoid speculation. This shift in tone 
culminates on page 96, where Verton claims that "we can safely discard 
the opinions of those who argue that cyber-terrorism ... is 
impossible." At that point I lost all sympathy for what the author was 
saying. It is indeed reasonable to question the plausibility of 
cyber-terrorism; and it's quite preposterous to "discard the opinions" 
of sceptics. There are some very smart and knowledgeable people who 
think cyber-terror is a myth. 

Dire predictions 

But discard them Verton does. His book is far more concerned with the 
wholesale retailing of dire predictions from paranoid bureaucrats like 
former cyber-security czar Richard Clarke and ex-Microserf Howard 
Schmidt than a realistic exploration of the dangers involved. 

Indeed, wherever Verton writes about cyber-terror per se, it is always 
in the form of a fictional scenario. Because we've yet to experience 
cyber-terrorism, there's little one can say about it from a strictly 
factual point of view - certainly not enough to fill a book. 

And this leads to another problem: the book spends a great deal of 
time talking about al-Qaeda and radical jihadists in general, showing 
us what creeps they are, as if we didn't already know, and speculating 
that if these creatures ever decided to blow up power stations and 
telephone infrastructure, or become elite hackers, we'd all be in 
serious trouble. 

Hollow center 

This general material takes up a great deal of the book, and forms is 
its hollow center. We can talk about terrorist possibilities until 
we're blue in the face, but at its core, terror is about sudden and 
violent death, not inconvenience. It's hard to imagine a terror outfit 
attacking power distribution infrastructure after seeing the complete 
lack of panic and mayhem in the wake of this Summer's blackout in the 
US and Canada. People were inconvenienced, all right; but they coped 
with it, the broken stuff got fixed, and no one was killed, 
traumatized, or horrified. 

Terror doesn't come from having the lights go dim or the phones go 
dead or the ATM go haywire. Terror comes from hundreds or even 
thousands of people suddenly and violently murdered in an instant. 
This is what terrorists are after, not power outages. Unfortunately, 
the book emphasizes threats to infrastructure as if they were the 
primary worry, when, in fact, an infrastructure attack can only 
intensify a real terror attack. It is not one in itself. 

Verton's sources are almost exclusively himself, and bureaucrats 
concerned with cyber-terror. There are no sceptical voices in the 
book, and not even an attempt at offering counter-arguments to a 
sceptical point of view. The book barely acknowledges that there are 
valid arguments questioning cyber-terror and its significance. And 
Verton's habit of using his own articles for reference gets suspicious 
after a while. There's certainly nothing wrong with a journalist 
pointing readers to his articles for additional information; but here, 
because there is so little hard evidence Verton can supply to 
substantiate his claims, the self-references take on a flavor of, "and 
you know it's true because I've said it before." 

Opposing views 

The book is highly speculative and fails to confront opposing views. 
We're told that we can "safely discard the opinions" of sceptics, but 
we're not told why. The book's argumentative force rests on the 
assertion that we should worry about cyber-terror because Richard 
Clarke, Howard Schmidt and Tom Ridge worry about it - and because 
security vendors reaching out for juicy gobbets of Homeland Security 
pork "worry" about it too. 

Black Ice will appeal to readers who already believe that cyber-terror
is a clear and present danger. Those who have yet to make up their
minds will find a one-sided discourse, and would do well to follow it
with a more balanced book such as Beyond Fear[1] by Bruce Schneier
before drawing any conclusions. Cyber-terror sceptics will not be
persuaded by Verton's arguments, or his sources, and should probably
avoid it.

[1] http://www.amazon.com/exec/obidos/ASIN/0387026207/c4iorg



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.