Cyberterrorists are the enemy too

While worms and viruses have yet to threaten loss of life, Rob Fixmer argues that they can be considered terrorist acts. One day, a highly sophisticated worm might throw civilization into chaos.
Written by Rob Fixmer, Contributor

COMMENTARY--As Attorney General John Ashcroft fielded reporters' questions last Tuesday about the attack on the World Trade Center and the Pentagon, one journalist asked if a new computer worm, discovered only hours earlier, was in any way related to the terrorist strikes. It was not, Ashcroft assured the nation--or at least, there was as yet no evidence linking it to Osama bin Laden and his ilk.

Somehow that was not altogether reassuring. Yes, it suggested that the same evil minds who plotted the deaths of thousands and the destruction of our national icons in a relatively low-tech assault had not evinced the technological sophistication to attack our computer networks. Not yet, anyway.

But it also reminded us that the numbers of our invisible enemies are growing each day, turning our commitment to freedom and openness into sundry weapons capable of destroying us.

It is no exaggeration to describe the creation of computer viruses and worms as terrorism. While none has yet threatened loss of life, as our culture grows increasingly dependent on the network of networks to organize and maintain our social, commercial, military and political institutions, some highly sophisticated worm will eventually wield deadly powers. It will not kill through physical assault, but through deprivation - emergency supplies cut off, urgent calls for help unheard, defenses unplugged. It will kill by throwing crucial institutions into chaos by simply erasing or corrupting the data on which we increasingly depend for daily sustenance.

As the world's political leaders counsel patience and perseverance in a type of war never before waged, we risk enormous peril if we take our eyes off the cyberfront. In some ways, digital terrorism will be even harder to combat than suicide bombers and elusive snipers--first, because the attackers are often armies of one whose motivation is unknown, and second, because so much of our aggregate defenses depends on private companies whose allegiances will always be divided between social responsibility and profits.

As intoxicated as we've become with the notion that the market must decide all things commercial, software developers have proven themselves to be socially irresponsible by consistently releasing products that are vulnerable to attack. Surely, the leaders of the computer industry--men and women cited as visionaries at every opportunity--have realized that network terrorism is an escalating war. It's time to adopt and enforce industry standards with enough teeth to make them stick.

That said, before we start pointing fingers at Microsoft, I suggest we take a long hard look in the mirror. How many of us have been vigilant in applying the patches developers have made readily available--often proactively? How many of us have circumvented password protections because we couldn't be bothered? How many can say we have been completely vigilant in monitoring firewalls and network diagnostics? How many of us, in fact, have been asleep at the wheel?

It's not Microsoft's job to protect us from ourselves, from our inertia or our unwillingness to invest human and capital resources in our own barricades. It's not Microsoft's job to force ISPs to wage a cooperative war on denial-of-service attacks. Nor can Microsoft, as large as it is, act as the world's software police or central administrator of defensive information. That role lies with industry and government, which have so far compiled a very sorry record in collaborating against cyberterrorism.

And finally, a great deal of responsibility lies with the hacker community, which consistently criticizes worm and virus attacks and denies any responsibility for their existence, but in truth condones a shadowy subculture that nurtures these terrorists. Three years ago, IBM sponsored a daylong seminar on cyberforensics at its headquarters in Armonk, N.Y. The event drew some of the brightest lights in the hacker world, but when one speaker attempted to distinguish between "black hat" and "white hat" hackers, he was booed. Hacking was "not about morality," one member of the audience shouted.

In the immortal words of Harry Truman: bullshit! There are no moral shades of gray here. We cannot condone the argument put forth by social misfits at keyboards that Microsoft products must be attacked to expose their vulnerabilities. Everyone knows there are responsible ways to hack a product. Releasing a worm or otherwise attacking an undefended network is not among them. It's time the hacker community weeded out the evil in its midst.

The bottom line is that we are already engaged in an escalating confrontation that holds frightening consequences for our economy, culture and well-being. Winning the war against cyberterrorism will require never-ending vigilance--and patience and perseverance--on the part of all of us.

Editorial standards