What harm could come from cyberterrorism?
COMMENTARY--In the bygone flower-power days, peace activists asked: "What if we held a war and nobody came?" However, last week's RSA Security Conference showed that we won't need an invitation to cyberwar--it's as close as our Internet connections.
In the first of a two-part series, my colleague David Coursey blocked out the major issues surrounding cybersecurity, or its lack, with reports of slim spending for protection. "Let's avoid the tendency to throw up our hands," he wrote. "Yes, there are so many potential targets and means for an enemy to do us harm--information warfare is just a tiny part of this catalog--that we can't possibly protect everything. But by making it tougher to succeed, we can reduce the number of potential adversaries and, perhaps, make their work against us easier to defeat."
A CONSENSUS OVER protection measures was missing in your TalkBack discussion. (And I'm trying to forget the long threads on gun control and driving laws.) Several of you decided that the potential for widespread harm was overstated.
"Companies that rush out and spend big money on securing their digital systems specifically to guard against cyberterrorism are wasting their money," Fred Fredrickson observed. "The money spent on protecting digital assets should reflect the cost of replacing them. For 90 percent of businesses, this means basic system security (logon and expiring passwords), restriction on Internet access, and regular backups. That's it."
"Are you guys stoned?" Lisa Powers wondered. "Gee, my computer network was crashed by a cyberterrorist. Oh, no! Let's take a body count. Zero. OK, let's restore from backups, close the hole, and continue on."
"You guys have been watching too many science fiction shows to be believing that the world revolves around the Internet," Powers continued. "You can't name a system that REQUIRES computers to be connected to an Internet, with the [exception] to download from porn sites and news rags. If a terrorist wants to trash the Internet, I say 'Have fun.' Maybe that will be a day or two without spam."
TO MANY OTHERS, the naysayers are just sticking their heads in the sand.
"If a cyberterrorist manages to get into and crash the airlines' reservation systems, a major banking system, or even a company with a national presence, it costs ALL of us," John Marks countered. "If you look at the origin of most of the major virus attacks, they have come from outside the United States. Is this just a coincidence, or are there governments out there that are trying to disrupt us in any way they can? I think a lot of the virus attacks are actually terror attacks, and should be dealt with in the harshest of manners."
"It is not outside the realm of probability that our cyberinfrastructure can be maliciously attacked by unknown parties, using our networks for their own advantage, and making it 'look' like someone else is to blame altogether," Sandy Heer warned in a long post that included a recent unpleasant experience with an e-mail virus. "You would think with all the years of preparation that went into [guarding] our systems against what might have happened when the century changed in 2000, we would be taking this potential for disaster a lot more seriously."
STILL, SOME OF YOU were unsettled by the scale of the cyberterrorist problem and the lack of available resources to tackle the problem, both in and out of the enterprise. For some, the real cure may be one of architecture rather than implementation.
"You're wasting your time, IT just hasn't evolved enough yet. We do an awful lot of whining about the problem of IT security, but most of us haven't a clue [about] the heart of the problem," Grahame Wilson said, pointing a finger at Microsoft's recently adopted Trustworthy Computing policy. "At the moment, we construct our IT data protection systems like a medieval fortress with a moat around it, but it only takes one blanket carrying plague fleas to enter via the drawbridge to make the embattlements useless. The answer lies in a different approach that does away with firewalls but requires all data to be encrypted, ID-ed, and then authenticated, whenever it is moved or used. This is impossible now, as our present operating systems don't support encapsulation and authentication at kernel level."
A COURSEY POINTED OUT, the path of least resistance is inaction. While the most difficult step is the first one, in this case, it may also be the easiest. There is something we can all do right now.
Start with a thorough security examination of your systems and servers, both at work and at home. It's a task that we often take for granted, and I will bet that you'll find several holes to plug and patches to install. Perhaps a firewall update.
Yes, it may well be a baby step. And what's the matter with that?
David Morgenstern, past editor of eMediaweekly and MacWEEK, is a freelance editor and branding consultant based in San Francisco.