Computer crime, cyber crime, cyber terrorism problemsLogo - Computer Crime Research Center (CCRC)

Cyberwar, what's it good for? Virtually nothin'

JACK KAPICA In 1917, U.S. Senator Hiram Johnson wasn't thinking of cyberspace when he said: "The first casualty, when war comes, is truth." But he might as well have.

The U.S. administration, champing at the bit to invade Iraq, has issued an unprecedented barrage of warnings about digital warfare, raising fears that foreign hackers might target vulnerable networks.

It's nothing new: In 1998, U.S. journalist James Adams wrote a book called The Next World War, which revealed the Pentagon was preparing defences against enemy programmers who might use the Internet to shut down hydroelectric generators, paralyze the armed forces, destroy giant corporations and post silly messages on people's Web sites.

No doubt this is a possibility; it remains a distant probability, however, if only because terrorists have yet to do these things even though they obviously have had technological smarts for some time.

And there were only 10 documented cyberattacks on U.S. and British targets on Feb. 17, the day of massive worldwide anti-war protests that many security people warned would also be a nice day for cyberterrorism.

More likely, Washington's warnings are an attempt to deflect attention away from the U.S. military's own high-tech efforts to bring Iraq to its digital knees in a Motherboard of all Battles.

The emptiness of much of the fear mongering is visible in the National Strategy to Secure Cyberspace, a list of "policy initiatives" issued by the Bush administration's Department of Homeland Security.

The guidelines have no teeth; surely they would have been given some legislative bite if Washington really believed in the imminence of a cyberwar.

The current overheated rhetoric is enough to distort corporate reasoning.

While most CEOs would like to believe that their corporate secrets, in the wrong hands, would be capable of damaging entire economies, most companies have to admit they are not really juicy enough to be targeted by terrorists.

Still, one can't be cavalier in this atmosphere. Investor confidence is at stake. Corporate bosses must whether their systems are reasonably protected.

Should they increase spending on security? Can they trust their security outsourcers? Do they in fact need an upgrade?

The economy is still not healthy enough for most corporations to go on a network security spending spree. Especially since there have been no reports of Iraq-related cyberwar incidents.

Nothing has brought the distorted atmosphere into sharper focus than the debate that has just broken out between two leading cybersecurity companies.

British-based mi2g Ltd., digital-risk specialists and makers of "bespoke security architecture," squared off against the Internet Security Threat Report released late last year by U.S. security specialist Symantec Corp.

Symantec had reported that, aside from digital worms, the rate of attacks on corporate networks over a six-month period in 2002 had actually dropped 6 per cent from the previous six-month period.

For its part, mi2g countered that Symantec was calculating attacks only on those networks protected by Symantec's own security products the implication being that it is in Symantec's marketing interests that the number of attacks be low, and preferably falling.

As though Symantec were trying to prove that criticism correct, it then released another new product, called the DeepSight Threat Management System, which Symantec describes in near-military terms as a "unique early warning system [that] provides a comprehensive bird's-eye view of global Internet attacks."

Using different measuring tools, mi2g reckoned that during the same period, there was in fact a 229 per cent increase in verifiable overt digital attacks worldwide in 2002, rising steadily each month from 2,877 in January to 14,327 in December.

These are scary numbers. With digital assaults more than doubling over the year, then perhaps James Adams' book was right after all when it claimed that the next world war would be fought by geeks.

And mi2g bolsters that fear by pointing at its own Security and Intelligence Products and Systems database, which has counted more than 150,000 attacks by 6,500 hacker groups.

But let's wait a minute.

Chief executive officers keeping score should note that even in mi2g's frightening reckoning, Canada ranked a miserable seventh in overall digital attacks last year with 2,642, well behind the United States (32,434), Brazil, Britain, Germany, Italy and France.

Brazil in second place? Italy in fifth?

If mi2g's calculations are at all accurate, then we have to conclude that there is little correlation between digital attacks and the current fearful atmosphere generated by the threat of a war with Iraq.

More interesting is one statistic on which mi2g and Symantec agree: More than half of recorded digital attacks have been the result of misuse and abuse of networks by employees.

Put all together, the reports from mi2g and Symantec suggest two things: Corporate network security is threatened more by internal incompetence, disgruntled employee vengeance or simple snooping than it is by international terrorism or domestic vandalism; and that now, more than ever, chief executive officers and their chief technology officers must maintain cool heads and be in constant consultation with each other while so many security experts and even government agencies are inflating the risks of cyberterrorism.

Balancing corporate spending restraints while being urged to increase network security is a difficult task for corporations to accomplish, especially in times of economic distress and international uncertainty.

So now it falls to the guardians of cyberspace to prevent truth from being the first casualty in cyberwar.

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83