El Reg badly misguided on cyber-terror threat

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/7/35983.html

By Thomas C Greene in Washington
Posted: 03/03/2004 

Our recent, negative review of Black Ice: The Invisible Threat of 
Cyber-Terrorism by Dan Verton drew a good deal of reader mail, 
including a request by the author to debate the issues raised in our 
article, and his book. 

When Verton invited us via e-mail to "do a Q&A to give me the chance 
to refute the ridiculous claims you make in your review of my book," 
well, we couldn't possibly refuse. It was agreed that El Reg would ask 
the questions, and Verton would answer, thereby enjoying the last 
word. Herewith our exchange, edited very lightly: 

El Reg: You indicate that cyber-terror skeptics have their heads in 
the sand, that they're ignoring signs of a growing interest among 
terror outfits in infrastructure attacks. But where's the evidence of 
this? A few laptops may have been seized with evidence of some limited 
research along these lines, but that's hardly the same as a plan. So 
far as I know, there has never been any evidence of a coherent plan or 
the financial backing needed to attempt anything along those lines. Am 
I mistaken? 

Verton: Yes, you are mistaken. The evidence that you are looking for 
and that the skeptics are looking for is not the only evidence that 
exists. You cannot map terrorist threats to vulnerabilities without a 
solid understanding of the evolutionary nature of international 
terrorism and the strategic, long-term goals of groups like al-Qaeda. 
By studying what they are trying to do and then combining that with 
the indications and warnings surrounding both their low-level actions 
(i.e. evidence that they have been studying SCADA systems in U.S. 
critical infrastructures) and their public statements, one can 
extrapolate a future capability roadmap. Not to do that would be to 
repeat the failures of 9/11. 

El Reg: Why would a terror outfit attempt an infrastructure attack per 
se. I can see how one could intensify a physical attack against a 
population, and I accept that it's something to worry about - knocking 
out local communications to hamper rescue efforts, say. But 
communications are very parallel: you might knock out a system that 
rescuers use; but you can't take out PSTN, cellular, Internet, TV and 
radio, all at once. An infrastructure attack per se is tremendously 
expensive in terms of finances, as well as planning, coordination and 
execution. The same investment in suicide bombings would produce a 
shocking body count. I doubt there's enough 'bang for the buck' in an 
infrastructure attack, and I doubt one will be pursued seriously for 
that reason. I believe that if a terror outfit should research this 
thoroughly - really do their homework - they'll conclude the same: 
that it's a waste of their resources. Why do you think that's wrong? 
What evidence can you cite? 

Verton: Again, you are assuming that international terrorism is a 
static phenomenon that is incapable or unwilling to adapt to the 
realities of the modern world. Your question also implies that 
tomorrow's terrorist will look like and act like today's terrorist. 
That's a classic case of underestimating one's enemy. You also wrongly 
assume that such an attack would be more costly and more difficult to 
plan and execute. The investment required for a highly targeted attack 
is minimal, compared to a car bomb and the payoff is potentially just 
as great in monetary terms. However, you are correct in your 
assumption that to significantly damage the whole of the 
infrastructure probably falls outside of the capabilities of terrorist 
groups. And depending on what infrastructure we are talking about, 
there is also the possibility of impacting public safety. The evidence 
is in the writings and the public statements of al-Qaeda members and 
supporters who have clearly shown an intense interest in damaging the 
economy of the "capitalist" states. I outline who these individuals 
are and what they have said and done in Black Ice. You should go back 
and read that section again more carefully. 

El Reg: People have talked about the possibility of attacking the 
Internet to interrupt commerce. But isn't there a paradox? If you use 
the Net as a weapon, but at the same time attack it, you're throwing 
sand in the equipment you're using. There are weaknesses in BGP and 
DNS that could be exploited, but by damaging the system, you're also 
cutting yourself off from it. Again, I believe a terror outfit would 
realize this if they researched it carefully, and conclude that it's 
not feasible to mount a sustained cyber-attack that would interrupt 
the Net across a broad area for any significant time. Why should I 
believe otherwise? 

Verton: Your question assumes that terrorists are interested in a 
sustained, multi-infrastructure attack in cyberspace. But we know that 
groups such as al-Qaeda are very patient with their planning and very 
deliberate about their target selection. Therefore, your question 
misses a very important support mechanism in guerilla warfare: using 
highly targeted cyber attacks or physical attacks against key cyber 
infrastructures as a force multiplier for traditional terrorist 
operations. You've accused me of making dire predictions with no 
evidence. I'm now accusing you of making wild assumptions about our 
terrorist enemies that are designed to make them fit your 
understanding of what terrorism is and what their goals are. And I'm 
also saying that your assumptions and your understanding of 
international terrorism is completely wrong. 

El Reg: Why shouldn't I be suspicious of the bureaucrats you quote in 
your book? Isn't cyber-terror an ideal mechanism for attracting 
homeland security pork? The technology is complicated and not well 
understood by the public, or members of Congress for that matter. It's 
easy to frighten people when they lack the technical savvy to evaluate 
these claims for themselves. Where is the evidence that cyber-terror 
is anything more than a scary story to enrich security vendors and 
increase federal security budgets? 

Verton: I don't quote bureaucrats. I quote highly-respected, 
long-standing professionals who have been in positions to know the 
truth about the various matters covered in the book. By naming Richard 
Clarke and Howard Schmidt, as you did in your review of my book, 
referring to them as "paranoid bureaucrats" and then implying that 
they and others would purposely spread disinformation to cash in on 
the homeland security pork, is to do what many do when they're on the 
losing end of a debate, and that's to engage in the politics of 
personal destruction. Are there bureaucrats who engage in this kind of 
behavior? Of course there are. But neither Clarke nor Schmidt are 
among them. And I say that knowing both of those men personally. They 
are true patriots at a time when patriotism is under attack. 

So there you have it: there seems to be little common ground between 
skeptic and believer. We leave it to the wisdom of our readers to 
decide which way to lean in the debate.

-=-

Editors' note: Following the above dialogue, Dan Verton sent us a 
piece, suggesting that this might be a more appropriate response to 
Tom Greene's original review of his book. This is not, unhappily, our 
considered opinion; we feel that Tom's review was and is a measured 
and rational examination of the subject, and see no reason for 
amendment or retraction. Equally, we are happy to publish Dan's 
viewpoint: 

A Feb. 25 review of my book, Black Ice: The Invisible Threat of 
Cyber-Terrorism, by The Register's Thomas Greene, claimed that my work 
failed to realize that "at its core, terror is about sudden and 
violent death, not inconvenience." 

I couldn't have asked for better support for what is actually the 
central thesis of Black Ice: the complete lack of sophisticated 
thinking on the part of the high-tech community about the evolution 
and future of international terrorism. 

The true face of al-Qaeda and other international terrorist 
organizations is one that few Americans, especially some "thought 
leaders" in the information security community, have come to 
appreciate and accept. It is a picture of a thinking and 
technologically sophisticated enemy that values formal training and 
education, and that understands the critical role that information 
technology plays in the day-to-day operations of America's economy and 
national security. 

Those in the information security community -- primarily technologists 
- who assert that terrorism is only about terror lack a sophisticated 
understanding of the strategic goals of international terrorist 
organizations. Their assertion is based on a predilection to view 
homeland security through an antiseptic, mathematical lens. 
International terrorism, on the other hand, is a multi-faceted 
phenomenon that has long-term, strategic goals that go far beyond mere 
death and destruction. Anybody who has read the history of the French 
Revolution, during which the term terror was coined, knows that 
terrorism has never only been about terror. 

Specifically, groups such as al-Qaeda understand the need to strike at 
America's economy as a means to curtail American military action 
overseas and to reverse U.S. political support for Israel. To ignore 
this fact is to ignore the evolutionary nature of terrorist tactics 
and to appease those who would like to think that all terrorists are, 
and will forever remain, a mindless horde of thugs living a 
hand-to-mouth existence in caves in Afghanistan. 

The security appeasers want to ignore the facts: al-Qaeda's history of 
studying the use of modern technologies and its reliance on operatives 
with degrees in engineering; laptop computers seized around the world 
that contained evidence of al-Qaeda's interest in the computer systems 
that control the electric power grid in the U.S. and other critical 
infrastructures; the continued radicalization of young people who are 
studying mathematics, computer science and engineering; and the 
statements by Osama bin Laden and other radical Islamic clerics 
outlining the usefulness of attacks against the "technical systems" of 
large companies and the stock market. 

A large part of the intellectual inflexibility surrounding the IT 
security community's reluctance to accept cyber-terrorism as a clear 
and present danger (not to mention the broader concept of 
cyber-terrorism as a physical phenomenon) is a cultural reluctance to 
accept terrorist organizations as thinking enemies capable of adapting 
to the modern world. Such intellectual rigidity also stems from a lack 
of understanding of the strategic goals of groups such as al-Qaeda and 
why attacks against critical cyber infrastructures support those 
goals. 

This is not to say, however, that mass casualty attacks no longer play 
a role in global terrorism. What most observers fail to recognize is 
that fear and uncertainty are central themes of cyber-terrorism. 
Attacks on the financial infrastructure can create uncertainty and 
loss of confidence. Digital attacks on water systems that cause 
dangerous levels of chlorine to be released into drinking water can 
create fear in people who once felt secure from such remote enemies. 
The potential scenarios are endless, but all are economic in nature. 

But perhaps the most dangerous example of the IT security community's 
intellectual bankruptcy is the refusal to recognize that tomorrow's 
terrorist threat will not necessarily look and act like today's 
terrorist threat. In addition to the radical elements within the 
Pakistani Directorate for Inter-Services Intelligence (ISI), one can 
find future cyber-terrorists in the thousands of young Muslim children 
are often fed a daily dose of hatred for America along with their 
studies in computer science, mathematics and engineering. In addition, 
one could also find ample evidence of bin Laden's computer hackers 
throughout the growing community of unemployed Russian scientists; or 
within organized crime syndicates in Russia, Malaysia, Italy, China, 
Japan, Columbia, or Mexico. 

But how long must we wait for the IT security community to start 
thinking about and preparing for this threat? Will we have to wait 
another eight years, as we did prior to Sept. 11, 2001 when the first 
clear signs emerged that al-Qaeda was studying the use of commercial 
airliners as precision strike weapons? If we continue to listen to 
those in the IT security community who continue to prop-up an outdated 
understanding of international terrorism, we will once again be caught 
by surprise because we will have put our fate in the hands of people 
who are ignorant to the tectonic shifts of modern international 
terrorism. 

To not accept the evolving nature of the terrorist threat is to simply 
wish it away. And hope is not a sound basis for a critical 
infrastructure protection policy in the 21st century.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.