Wednesday, July 27, 2005

Is Cyber-Terrorism a Threat?

Turnrow Magazine features an enlightening interview with security guru Bruce Schneier that touches on, among other things, the threat of terrorism.

Now, in general, Schneier is acknowledged as one of the brightest minds in the security business. From time to time, I might find areas where I might disagree with Schneier: Video cameras in public places, for instance (Rich Lowry also has an exceptional discussion of the merits of camera surveillance entitled, "Caught on Tape").

And, once in a while, Schneier will wander off course:

Most criminals are copycats... [however] al Qaeda has shown itself to be very inventive. They never do the same thing twice; they always think of something new.

Cases in point: the twin London train attacks of 7/7 and 7/21 are evidence of copycat crimes.

But overall, Schneier is consistently rational and well-spoken on the topics surrounding security. In this portion of the interview, he deals with the so-called cyber-terror threat.

CKG: Is it possible that al Qaeda and similar organizations can launch virtual attacks, presenting us with something of the equivalent of a cyber 9/11?

BS: Not for a long time. These attacks are very difficult to execute. The software systems controlling our nation's infrastructure are filled with vulnerabilities, but they're generally not the kinds of vulnerabilities that cause catastrophic disruptions. The systems are designed to limit the damage that occurs from errors and accidents. They have manual overrides. These systems have been proven to work; they've experienced disruptions caused by accident and natural disaster. We've been through blackouts, telephone switch failures, and disruptions of air traffic control computers. The results might be annoying, and engineers might spend days or weeks scrambling, but it doesn't spread terror; the effect on the general population has been minimal.

The worry is that a terrorist would cause a problem more serious than a natural disaster, but this kind of thing is surprisingly hard to do. Worms and viruses have caused all sorts of network disruptions, but it's happened by accident. In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems had that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks can cause catastrophic results, and terrorist organizations don't have that sort of knowledge either-even if they try to hire experts.

The closest example we have of this kind of thing comes from Australia in 2000. Vitek Boden broke into the computer network of a sewage treatment plant along Australia's Sunshine Coast. Over the course of two months, he used insider knowledge to leak hundreds of thousands of gallons of putrid sludge into nearby rivers and parks. Among the results were black creek water, dead marine life, and a stench so unbearable that residents complained. This is the only known case of someone successfully hacking a digital control system with the intent of causing environmental harm...

Bathe yourself in the fount of wisdom and read the whole thing.

TurnRow: Bruce Schneier Interview

No comments: