Cyberterror and professional paranoiacs
The US-led war on Iraq has begun.
Now wait for the hype about "cyberwar" and "cyberterrorism" to follow.
The first onslaught came this week when US homeland security secretary Tom Ridge said he was ratcheting up to an Orange Alert to coincide with the coalition forces' invasion. Ridge said his department would "monitor the Internet for signs of a potential terrorist attack, cyberterrorism, hacking, and state-sponsored information warfare."
Then, during an appearance on Thursday to ask a House panel for a fatter 2004 budget, Ridge claimed that cyberterrorists were just as dangerous as physical ones.
"We will not distinguish between physical and cyber in this new unit," Ridge said. "We will pay as much attention to the Internet as we do physical."
What is this guy thinking?
Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the Pentagon.
Wily-fingered hackers had nothing to do with it.
Until recently, Ridge has seemed basically levelheaded about the real dangers of cyberterrorism. Someone who's close to Ridge told me that the secretary simply doesn't care that much about the topic, which would explain his silence.
But now that agency budgets are up for review, Ridge seems to be treading the same alarmist path as did his former cybersecurity deputy, Richard Clarke, who quit in January.
Clarke was a professional paranoiac, a modern-day Chicken Little blinkered by a career spent in the cloistered intelligence community. It didn't help that Clarke's résumé featured such harrowing tasks as planning for the "continuity of government" after a nuclear strike on Washington -- a job where no precaution is too extreme. Soon after President Clinton appointed him to a "national coordinator" post in 1998, Clarke became infamous for darkling warnings about the spectre of a "digital Pearl Harbor" that would snarl computers and roil the world's economy.
To understand this bureaucratic mindset, consider that -- while at the US State Department in the mid-1980s -- Clarke concocted a zany plan to incite a coup against Moammar Gadhafi to punish the Libyan strongman for embracing terrorism. Clarke's suggestion: SR-71 spy planes would buzz Libya, creating sonic booms that would appear to herald an invasion, thus unnerving Gadhafi. Meanwhile, the US Navy would fake hostilities off the coast and the State Department would encourage "speculation about likely Gadhafi successors," according to a memo coauthored by Clarke. After news of the plan leaked, an embarrassed Reagan White House unceremoniously ditched it. The New York Times' William Safire dubbed the scheme "stupid and venal".
Clarke's penchant for the dramatic, which I witnessed firsthand when I spent an hour interviewing him in December 2001, extended to a farewell statement he circulated in January. It warned of the dangers of the SQL Slammer worm, which infected servers running Microsoft software.
In that statement, Clarke claimed that Slammer "disabled some root servers, the heart of Internet traffic." Not true. A report from the RIPE Network Coordination Center -- one of the Internet's four regional registries -- said that at most the worm slowed connectivity to two of the 13 root servers and did not disable any of them. "This did not cause any degradation in [domain name system] service," RIPE concluded.
Clarke also claimed that "a national election/referendum in Canada was cancelled" due to computer mischief. At best, that was a reckless exaggeration. What actually happened is that Canada's New Democratic Party held a leadership convention and found their Internet voting to be sluggish. CBC reported that voting was completed just 45 minutes behind schedule.
It's not just Clarke and Ridge. Exaggeration is easy when you're a bureaucrat hoping to make yourself seem more important and thereby fatten your paycheque at your next job, or when your funding is up for review, or when you want to lobby for new and probably unwise laws that would endanger privacy or impose additional costs on technology firms (one of Clarke's pet ideas).
It's important to remember that, as CNET News.com reported in detail last year, it's always easier to bomb a target than hack a computer. Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialised knowledge and must overcome noncomputerized fail-safe measures.
Put another way, I've never heard of one death that could be attributed to "cyberterrorism." Not being able to check your email for a day is an annoyance, not terrorism, as Counterpane's Bruce Schneier said last week.
On Thursday evening, President Bush said he would nominate Frank Libutti to be Ridge's undersecretary for "Information Analysis and Infrastructure Protection," a position that will have key Internet responsibilities. Libutti currently is deputy commissioner for counterterrorism at the New York City Police Department, and is also a retired lieutenant general in the US Marine Corps.
The Internet community should work with Libutti to put the threat of cyberterrorism in perspective. We don't need any more government officials clamouring for intrusive new laws and claiming, against all common sense, that a "digital Pearl Harbor" is just around the corner.
Cybercrime News Archive