|
|
Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP
Is Cyber Security an Oxymoron?
In last week's column about the Slammer/Sapphire/SQL Server worm, we made a fairly provocative statement. We said that the Internet exists at the whim of those who know how to destroy it. This is not something many people want to hear. Indeed, we hesitated to say it because saying thing like can get you labeled as an extremist, crackpot, or worse.
The outgoing head of cyber-security for the Bush administration, Richard
Clarke, was probably sensitive to such labeling when he crafted his farewell
statement last week, a copy of which was leaked onto the Internet. He
said: "The events of the last weekend demonstrate yet again how vulnerable
our society is to cyberspace attacks. The Sapphire Worm was essentially
a dumb worm that was easily and cheaply made... Nonetheless, the results
of the worm were significant. It spread to hundreds of thousands of machines
in less than 15 minutes. It disabled some root servers, the heart of Internet
traffic. Although it was aimed at servers, it caused routers to flop and
cease to function. Some airline flights were delayed or cancelled. Some
banking functions ceased. A national election/referendum in Canada was
canceled. Workers were sent home at some major US companies."
Clarke then started down the road that we have been on: "With slight
modifications, the results of the worm would have been more significant.
More sophisticated attacks against known vulnerabilities in cyberspace
could be devastating. As long as we have vulnerabilities in cyberspace
and as long as America has enemies, we are at risk of the two coming together
to severely damage our great country. We can not assume that the past
level of damage is in any way indicative of what could happen in the future."
We think this is a fair and reasonable assessment. And yet, judging by
some of the reaction we have read, the point he was trying to make was
lost on many people. Techno-weenies were anxious to point out technical
errors in what he said (multiple root servers didn't actually crash and
the Canadian election story was inaccurate). The anti-federal crowd suggested
it was just an alarmist tactic to increase funding. The techno-cynics
asked what the fuss was about since computer failures don't kill people
and call cyber-terrorism an oxymoron.
We admit cyber-terrorism is a much abused and overused expression, but
if you take a moment to think about it, the implications of what we, and
Clarke, are saying, do apply to the three main meanings of the term. First,
consider cyber-terrorism as the ability to scare people, using computers.
We don't think it will take many more ATM and 911 system failures like
the ones caused by Sapphire/Slammer to scare consumers.
Second, consider cyber-terrorism as the use of computers to enhance traditional
terrorism (the most intelligent discussion of this that we have read is
the paper by Sarah Gordon and Richard Ford in Computers and Security,
Elsevier Science Publications, Vol. 21). One scenario is a worm attack
on the Internet timed to coincide with a real world terrorist event and
hinder attempts to respond, thereby increasing the impact.
Third, consider cyber-terrorism as the abuse of freedoms inherent in an open system, just as real world terrorism is an abuse of our open societies. Many real world systems exist at the whim of those who have the means to damage or destroy them. So does the Internet. There are people who can write code far more devastating than Sapphire/Slammer, but for a variety of reasons they don't. So instead of trying to pick fault with those who are pointing this out, intelligent minds should be focused on determining:
a. how dependent upon the Internet are we?
b. how will we manage when it goes down?
c. how can we make it more resistant to attack?
For the record, we believe Richard Clarke was trying to bring resources
to bear on the answering of those questions. Sadly for him, and us all,
it provoked more criticism than praise.