'Black Ice: The Invisible Threat of Cyber-Terrorism'
By Dan Verton
Date: August 12, 2003
Not long ago, cyber-terrorists were Public Enemy Number One. In the summer of 2000, a malicious, reclusive hacker released a computer virus called "I Love You" that raced around the globe, destroying $10 billion worth of data. Spies worldwide scrambled to hunt him down, and newspapers ran horrified above-the-fold coverage. Cyberspace seemed like the scariest place on Earth.
Then two planes flew into the World Trade Center -- and the real, physical world became instantly scarier. Terrorists were real, but they weren't invading our desktops, and they weren't even very technologically innovative. On the contrary, their tools of choice -- box cutters -- were so savage and low-fi they wouldn't have been out of place in an invasion of a suburban home.
Explosions, destroyed buildings -- that's the stuff that scares the pants off America. So ever since Sept. 11, it's been hard to get worked up about hackers, viruses and digital mayhem. It all seems like a narcissistic indulgence of the dot-com era, when the Internet was the biggest thing going. When a Manhattan friend recently saw me reading a copy of Black Ice, he scoffed: "That stuff is crap. They're not gonna attack us on the 'Net. They're going to set off car bombs in Times Square. They want dead bodies."
This, in a nutshell, is what the book's author, Dan Verton, is up against. Because he argues that terrorists are indeed developing a new generation of cyberattacks -- and they'll be far worse than anything we could imagine, precisely because we aren't guarding against them. Verton is as credible a digital Cassandra as you can get^; he is a former intelligence officer, and his superb investigative journalism for Computerworld magazine recently forced American Airlines to clamp down on its lax wireless technology, which left bag-checking devices open to be messed with.
Some of the examples Verton unearths are certainly spooky. Back in 1996, a Swedish teenager remotely generated so many calls to 911 in southern Florida that he tied up the system. Another hacker today is developing a virus that can commandeer mobile phones and have them similarly flood 911 with phantom calls. Or consider the power grid: In the six months following the World Trade Center attacks, security companies logged 129,000 intrusions, many of which "appeared to be sponsored by governments or organizations in the Middle East," as Verton darkly notes. Imagine no electricity for, say, an entire week: food rotting, crime surging, no phones, and business ground to a halt.
Which is Verton's point: Genuine cyberterrorism will be as physical as a punch to the gut. Who cares about teenage hackers defacing Web sites with misspelled taunts and pictures of porn stars? Let 'er rip, kids. You're only hurting our browsers. Al Qaeda, Verton suggests, would use the virtual world merely as a vehicle with which to attack the real one, and leave plenty of dead bodies. Verton envisions "swarming attacks," combinations of virtual and physical blows: A dirty bomb blows up in Washington, D.C., while a cyberattack wreaks havoc at the nearby hospitals.
And whoops -- as Verton discovers, those hospital computers aren't terribly well guarded. Neither are those of banks, airline systems and most utilities. This is because they're for-profit concerns, and, frankly, security is expensive and inefficient and cuts down on profits. This is a weird turning point in national security. In the old days, the government controlled the important borders of sea, air and land. But now, folks like Merrill Lynch and Verizon -- and, for that matter, you sitting there at your computer -- control the data borders. For the first time, a big part of national security is at the mercy of a rather indifferent free market. This is not to suggest that massive government regulation would be a necessarily better answer^; it was, after all, the Bush administration that out-Orwelled Orwell by patching together the Total Information Awareness program. Just imagine the government's paranoid clampdown after the first big terrorist cyberstrike takes place.
Or, should I say, if it takes place. In the end, Verton never offers up a smoking gun. There may well be Al Qaeda hackers out there perfecting evil ways to commandeer air-traffic-control systems. But if there are, we never meet them via any first-hand reporting. Verton doesn't wear out his shoe leather hunting through Afghanistan and Pakistan for these guys^; indeed, he rarely seems to leave his desk. Rather, he relies hawkishly on government reports that nervously prophesy cyberchaos. And these reports are, unfortunately, maddeningly hypothetical: This terribly-bad-thing might happen^; that even-more-awful-thing could take place. This makes them somewhat hard to trust, in the wake of our "Where's Waldo?" hunt for Iraq's supposed weapons of mass destruction. Trumping up threats to keep defense budgets fat is the oldest game played by Pentagon insiders.
Still, as a longtime computer geek, I've seen how brittle, complex and friable computer systems can be. It's possible that Verton is simply wrong. But if he's right . . . we'll pine for the days when the worst thing a virus could do was waste $10 billion.
Original article at: http://www.washingtonpost.com/wp-dyn/articles/A31867-2003Aug7.html
^macro[showdigestcomments;^uri;'Black Ice: The Invisible Threat of Cyber-Terrorism']