ANALYSIS: Warnings about cyber-terrorism are overblown

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/793752p-5670026c.html

By LISA HOFFMAN, Scripps Howard News Service
 
(March 5, 2003 8:22 p.m. EST) - In Malaysia, an anti-war hacker has
vowed to unleash a voracious computer virus if America launches an
attack on Iraq.

A hacking group calling itself the Iron Guards is threatening "suicide
cyber-attacks" if war occurs.

And the pro-Islamic, underground cyber-outfit USG, which in September
hacked three computer systems hosted by AOL Time Warner, has already
defaced Web sites with messages criticizing an Iraq invasion.

These and other cyber-threats have spurred some computer security
experts to fret that war with Iraq could spawn waves of retaliatory
hacking against the U.S. government and businesses.

"As the imminent U.S. ... action on Iraq gains momentum, we are
expecting more attacks of a similar nature," D.K. Matai, chief
executive of the London computer security firm mi2g, said recently.

Also apparently worried is the FBI.

Last week, the bureau's National Infrastructure Protection Center
issued a warning about an outbreak of "illegal cyber-activity" due to
"increasing tensions between the United States and Iraq." The advisory
said computer users and operators should be on guard against Iraq
sympathizers, anti-war activists and even criminals using the cover of
the Iraq crisis to "further personal goals."

But while some e-sabotage may spark across the Internet, a look at
similar predictions of cyber-terrorism shows that whatever hacking has
occurred in past times of international crisis has essentially
amounted to minor disruptions of fleeting consequence.

For instance, after both the Sept. 11 terror attacks and the start of
the U.S. assault on al-Qaida in Afghanistan, the FBI predicted a surge
in cyber-hacking and -protests by anti-American partisans. Not only
did that not happen, but the level of everyday attacks actually
declined in some areas since the U.S. war on terrorism began.

The attacks that did materialize were insignificant. A Pakistani
hacking group defaced a Web site operated by the Pentagon's Defense
Test & Evaluation Service with a message about Islam and the threat to
attack 1,500 more sites.

But the obscure and unclassified Pentagon training site was
immediately fixed and the suspected hackers were quickly caught and
turned in to the FBI. In another case, an e-mail "worm" bearing
messages about al-Qaida leader Osama bin Laden was launched but did
scant and easily repairable damage.

Similarly, during the war over Kosovo in 1999, U.S. government
Internet sites came under a barrage of cyber-attacks as partisans
angry about America's accidental bombing of the Chinese Embassy in
Yugoslavia vented their rage electronically. But neither classified
nor even sensitive sites were breached, although the White House's
public Web site was attacked and the National Park Service's home page
was temporarily knocked asunder.

In fact, a growing number of computer security experts are downplaying
the threat of cyber-war and -terrorism and speaking out against what
they consider the undue hype surrounding both issues.

"While there is much fear, uncertainty and doubt associated with the
term, I posit that cyber-terrorism is really nothing more than a paper
tiger," said Richard Forno, author of a book on information warfare
and former chief security officer at Network Solutions, a computer
services company.

While acknowledging that a paralyzing or even seriously injurious
cyber-attack against U.S. computers could occur, these experts count
the odds as remote, and growing more so all the time.

That is partly because of substantial strides being made in security
defenses to protect the most important U.S. government and private
industry computer operations. It also stems from the fact that many
U.S. adversaries aren't particularly computer-savvy. Iraq, for
instance, has shown interest in developing an "information warfare"  
capacity, but is believed to have invested little time or manpower in
the complex task.

Georgetown University professor Dorothy Denning, considered in the top
tier of cyber-security analysts, and other experts point to a recent
U.S. Naval War College war game called "Digital Pearl Harbor," in
which a sweeping attack on America's computer networks was simulated.  
But the gamers determined that, to cause serious damage, assailants
would need $200 million, an array of sensitive intelligence and five
years of preparation time.

In effect, these experts contend, the cyber-attacks so far have been
the computer equivalent of spray-painted graffiti on a front door.

Author Forno says terrorists are not dumb - they are looking for the
biggest bang for their buck. A darkened computer screen or briefly
disabled electrical grid pales in contrast to the horrifying
destruction wrought in the Sept. 11 attacks.

"Bin Laden, (Saddam Hussein) or any other terrorist is not going to
snicker and proclaim a victory over the Great Satan simply because his
geek corps manages to crash the NASDAQ trading system," Forno recently
wrote. "Would you remember exactly where your were and what you were
doing if a cyber-terrorist temporarily disrupted the NASDAQ Web site?  
Probably not.

"Will you remember where you were when the second hijacked 767 rammed
into the World Trade Center? Most certainly."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.