Eek. The information-security industry says a cyber-terrorist attack on the US is imminent.
From Ars Technica on Saturday:
A sampling of computer security professionals at the recent Information Systems Security Association conference found that a majority of them believe there will be a “major” cyber terrorism event within the next year. The survey, conducted by the network security and hardening vendor Ixia, found that of 105 attendees surveyed, 79 percent believe that there will be some sort of large-scale attack on the information technology powering some element of the US’s infrastructure – and utilities and financial institutions were the most likely targets. Fifty-nine percent of the security professionals polled believed that the US government should be responsible for protecting citizens from cyber terrorism.
Certainly, there is no shortage of talk about such a threat. Peter W Singer has counted more than 31,000 articles about “cyber terrorism”. And “the number of people that who been hurt or killed by cyber terrorism”? Nil.
The category, writes the Brookings Institute Analyst in the US Armed Forces Journal late last year, is something of a “bogyeman”, having become a bit “like the Discovery Channel’s “Shark Week,” when we obsess about shark attacks despite the fact that you are roughly 15,000 times more likely to be hurt or killed in an accident involving a toilet”.
Cyber terrorism is defined by the FBI as a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.” And yet, writes Singer, “many discussions sweep all sorts of nonviolent online mischief into the ‘terror’ bin …
Various reports lump together everything from Defense Secretary Leon Panetta’s recent statements that a terror group might launch a “digital Pearl Harbor” to Stuxnet-like sabotage (ahem, committed by state forces) to hacktivism, WikiLeaks and credit card fraud. As one congressional staffer put it, the way we use a term like cyber terrorism “has as much clarity as cybersecurity — that is, none at all.”
None of which is to say, Singer stresses, that terrorist groups aren’t keen to use cyberspace to enact violence. Nor is it of no concern whatsoever. But the evidence is clear:
So far, what terrorists have accomplished in the cyber realm doesn’t match our fears, their dreams or even what they have managed through traditional means.
Authorities would be better, he argues, to devote their attentions to “looking at how terror groups actually use the Internet, rather than fixating on nightmare scenarios, [so that] we can properly prioritize and focus our efforts”.
While the cyber era allows terror groups to easily distribute the playbook of potential terrorist tactics, techniques and procedures, it also reveals to defenders which ones are popular and spreading. If individuals and groups can link up as never before, so too do intelligence analysts have unprecedented abilities to track them and map out social networks. This applies both to identifying would-be cyber terrorists designing malware as well as those still using the bombs and guns of the present world.
The advent of reliable post in the 1800s allowed the most dangerous terrorists of that time, anarchist groups, to correspond across state borders, recruiting and coordinating in a way previously not possible, and even to deploy a new weapon: letter bombs. But it also allowed police to read their letters and crack down on them. So, too, today with the digital post. When it comes to cyber terrorism versus the terrorist use of cyberspace, we must balance chasing the chimeras of our fevered imaginations with watching the information flows where the real action is taking place.
Singer’s argument echoes that made earlier last year in the journal Foreign Affairs by Micah Zenko and Michael A Cohen, in which they lay out “the chronic exaggeration of the threats facing the United States”.
From that piece:
Policymakers and pundits have been warning for more than a decade about an imminent “cyber–Pearl Harbor” or “cyber-9/11.” In June 2011, then Deputy Defense Secretary William Lynn said that “bits and bytes can be as threatening as bullets and bombs.” And in September 2011, Admiral Mike Mullen, then chairman of the Joint Chiefs of Staff, described cyberattacks as an “existential” threat that “actually can bring us to our knees.”
Although the potential vulnerability of private businesses and government agencies to cyberattacks has increased, the alleged threat of cyberwarfare crumbles under scrutiny. No cyberattack has resulted in the loss of a single US citizen’s life. Reports of “kinetic-like” cyberattacks, such as one on an Illinois water plant and a North Korean attack on US government servers, have proved baseless. Pentagon networks are attacked thousands of times a day by individuals and foreign intelligence agencies; so, too, are servers in the private sector. But the vast majority of these attacks fail wherever adequate safeguards have been put in place. Certainly, none is even vaguely comparable to Pearl Harbor or 9/11, and most can be offset by commonsense prevention and mitigation efforts.