Saturday, September 15, 2001

September 11th Does Not Mean Cyberwar is Coming by Richard Forno

September 11, 2001 is a date now seared into the memory of our nation; that was a brutal awakening for 21st century America. It was also a stark reminder that the method of attack for terrorists will be a high visibility, high body count target; not hacking, cracking, or conducting a so called cyber war.

UBL , Saddam, Quasimodo, or any other terrorist is not going to snicker in their cave or palace and proclaim that "God is Great, those Americans are running scared because my forces have crashed the NASDAQ systems." Nobody ever died from a directed TCP/IP packet, nor are such IT related incidents akin to the fearful dinner time discussions regarding the Red Threat during the Cold War.

Seeing a smoking crater that was a world landmark makes an emotional impact on everyone around the world. Thus, the graphic impact of such physical strikes is much more appealing to the terrorist since they elicit a far greater visceral emotional response from the victim society left to cope with the aftermath.

In the aftermath of our national tragedy, there is an understandable increase in emotional rhetoric in chat rooms and coffee bars across America that the recent attacks will precipitate a so called cyber war. This cyber war will likely be no more than the run of the mill nuisances and mundane mischief that network and security administrators see on a daily basis: web defacements, ping floods, virus attacks, and so on. Sadly, there are a growing number of security and intelligence vendors making claims that the attacks of September 11 will culminate in or help launch a cyber war; thus creating an unnecessary amount of Fear, Uncertainty, and Doubt (FUD) on a topic that is in no way as pressing a concern as the very real emergencies that we are currently facing.

Of course, it goes without saying that during this time of concern, IT administrators and security staff should be on heightened alert to monitor for suspicious activities on their networks, and report any such activity to the appropriate entities. This should be expected in any national crisis situation. However, any computer system considered essential and a critical element of the national infrastructure should NOT have been connected to a public network in the first place. Proper security planning on such systems before their deployment should always outweigh operator convenience in such critical circumstances.

Granted, one cannot rule out an increase in computer security incidents during this time. Certainly, the IT industry should exercise due diligence in safeguarding their systems. But everyone involved should make a concerted effort to refrain from and resist any and all attempts to capitalize on this real world tragedy through fear mongering policy statements and or marketing tactics implying that phantom packets are waiting to strike our networks during this tragic period, and thus rush to implement knee jerk actions rooted in pure emotion and not reality. From the halls of Congress to corporate boardrooms, September 11th's attack on democracy and freedom should not be perverted into an opportunity for free commercials for anyone.

No comments: