Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
LONDON (June 7, 1998 2:26 p.m. EDT http://www.nando.net)
You jolt awake, trembling, in the middle of the night with that
recurring nightmare. The bad guys have penetrated the Pentagon's
computers. They now control the instructions for the U.S. nuclear
arsenal and are holding the Western world to ransom.
Unless their demands are met within 24 hours, destruction will
rain down on Washington, New York, Paris and London.
Is this just the fevered imagination of juvenile Hollywood script
writers? Or are defence planners justified in seeking to spend
huge sums to combat a compelling danger?
According to experts interviewed by Reuters, you can relax.
The threat is more Hollywood than hard fact.
Some experts say that companies trying to sell the latest security
software are exploiting these fears.
Governments seek power over Internet commerce
Others say that governments, worried by the prospect of falling
tax revenues as more business is transacted across the Internet,
are happy to play along with this too. If the terrorism fear can
be played up, governments would have an excuse to grab more power
to pry into and regulate Internet commerce.
Movies like "Sneakers," where a hacker played by Robert Redford
steals a code-cracking device that can break into any computer in
the world, have softened up audiences to the notion that a serious
danger exists.
Some defence planners and parts of the media have jumped on the
bandwagon suggesting that the United States and the West needs to
protect itself from the potentially devastating peril posed by
cyber warfare.
This assumes that terrorists or rogue states can, in theory,
relatively cheaply crank up a computer-based campaign against
superpowers and win, using cyber warfare.
Cyber terrorism a theoretical danger
"Theoretical. That's the right word," said Peter Sommer, senior
research fellow at the London School of Economics.
Penetrating and manipulating networks poses awesome problems,
according to Sommer.
"To hit a major network you need to know how it works, what back-up
there is, you need a great deal of information," Sommer said.
"You would need to infiltrate someone into the organisation.
They would need to know how to write code and introduce it onto
the system. I'm not saying it cannot be done, but for quick effect
it may be better just to place a bomb."
Dr Andrew Rathmell, of the International Centre for Security
Analysis at King's College, London, said military sites present
a tough target for terrorists. But so-called information warfare
techniques could in theory inflict great damage on civilian
infrastructures such as power grids, rail and air transport,
as well as telecommunications.
Rathmell said financial systems were well protected but because
of increasing interdependency, the knock-on effect of damage to
infrastructure was difficult to predict.
"Infrastructure attacks could have an effect like strategic
bombing. You no longer need to go through armed forces to attack
civilians. You can go in under the wire," Rathmell said.
Terrorists face formidable technical barriers
"But what can they really do? It's all pretty improbable. Key
systems to launch nuclear weapons, key communications in the
White House are pretty well hardened and protected. Only a
really switched on secret service could penetrate that,"
Rathmell said.
Dr Ross Anderson, of Cambridge University's computer laboratory,
also doubts the power of this threat, despite President Bill
Clinton's call to arms against cyber terrorism made on May 22.
Clinton called for safeguards to shield U.S. infrastructure and
computer systems.
"We must protect our people from danger and keep America safe
and free. Our vulnerability, particularly to cyber attacks, is
real and growing," Clinton said.
Anderson doesn't buy this argument.
"Information warfare seems to be a marketing exercise rather
than anything else. It's the computer security community trying
to increase sales to the (U.S.) federal government," he said.
Anderson pointed to a recent, foiled Irish Republican Army plot
in Britain to blow up power stations around London.
"That would have caused devastating damage - with dynamite, rather
than messing around with computers," Anderson added.
He believes that government plans to seek "mandatory key escrow"
in the name of protection against computer crime was a sneaky way
of imposing control over citizens' privacy.
"Mandatory key escrow" means that citizens protecting their
electronic business with encrypted computer code would have to
provide government regulators with keys to that code.
"Governments are trying to get control over electronic commerce,"
Anderson said.
Teenage hackers persistent, lucky
What of perennial stories in newspapers that another 16-year-old
has hacked into Pentagon computers?
The LSE's Sommer dismisses this danger. The incidents happened
only to insecure networks on old computers.
"You must remember that the U...S. military has over two million
computers which are mostly insignificant. Most secure systems
are isolated," Sommer said.
"These big hacker cases; sixteen year olds could get in, not
because they were clever but persistent and basic standards of
security were very poor indeed.
"Lots of money will be spent on curing this problem and nearly
all of it will be wasted on sexy sounding projects. What you
really need is auditors to check systems," Sommer said.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Jun 7 20:41:40 1998