Winter 2008
Features
Home work
9 things to do at TCU in '09
Departments
Alma Matters
Letters
Academe
Memīries Sweet
Riff Ram
AlumNews
Notables
Back Cover
Recollections
Comrades True
Back Issues

TCU Magazine "Academe"

More in academe

CSI: Fort Worth | Matters of the heart | Learning squared | That competitive drive | Down and Dirty on Spring Break |

Are we due for a "Digital Pearl Harbor"?

Yes, the United States is vulnerable to a computer-based attack, says one security expert. Should we be worried? Not yet. Because, right now, it is wildly impractical.

By Marcus J. Ranum

Excerpted from a Green Chair Lecture called "Hacking and Terrorism: The Problem of
Defending an Infinite-Length Wall."

Right now, the spooky and vague notion of cyber-terrorism is really a non-threat over-hyped by the media. The simple reason is that terrorists -- and hackers, too -- are trying to scare you. That's what terrorism is: influencing a political agenda by means of violence and intimidation. To succeed, they have to scare us.

That's the reason people see hacking and terrorism as intertwined -- because they both share the military property of being able to attack anywhere from a defensive position. Essentially, both the hacker and the terrorist are guaranteed the advantage of surprise and choice of battlefield. If one gets to choose the battlefield and the moment of attack, one is going to win. So the dynamics of the threat scope are very similar.

That's why I don't believe we can truly ever defeat hackers or terrorists. Because they're always going to get those choices.

The advantages are so great. I used to think that hackers and terrorist were going to win out. For a long time, I felt that sooner or later some hacker was going to do some terribly profound damage. But now I don't believe that.

In truth, it is wildly impractical for terrorists to use the methods of computer hackers to strike fear. For one, the Internet has become so segmented that the logistics of an attack causing widespread damage are not cost-effective to a terrorist.

Is it more effective to train a cadre of cyber-ninjas or is it more effective to find idiots who will believe in your cause so devoutly that they wrap themselves in plastic explosives and blow something up?

Also, maintaining a "cyber-arsenal" wouldn't be easy with problems of version compatibility. Hackers could take down the Internet in large parts in little time, but my guess is it would be back in a few hours.

If they were going to take the FBI offline, they would need something to penetrate several kinds of firewall, something to penetrate two versions of Windows and three different UNIX servers and something that would allow the user to take control of routers and servers remotely so his own scheme isn't wiped out. It all has to work flawlessly. And it would costs tens of millions of dollars.

When al-Qaeda can fly planes into buildings for a fraction of that, this scenario is not going to happen.

Because they have similar strategic and tactical advantages, hackers and terrorists are often linked intellectually, but their agendas are very different. Terrorists' agendas are geopolitical and very focused. Hackers' are quite diffuse, focused mostly on fun, ego and money. So unless the hackers take up the cause of religion, politics or ethnic hatred, I think we're okay.

However, our targets are in trouble. Here's the paradox: On one hand, I don't think we really need to worry about cyberterrorism. But on the other, we're pretty vulnerable to it if someone actually decides to do it.

A lot of the process-control systems we use are extremely under protected. We can get into oil refinery networks through open Internet links. Parts of our infrastructure such as sewage systems are recklessly insecure. The complexity of our systems grows exponentially as the connectivity increased. The more we link things, the more we have to worry about unforeseen consequences, and vulnerabilities go undetected.

We're at the point now where our networks are so complex that we can't project what catastrophes will happen if something fails. A perfect example is the massive electrical blackout on the East Coast in the summer of 2003.

We know we are such an attractive, open target, living this free society with way-cool technology. Everything is computerized. So we know subconsciously that we're buying ourselves a lot of hurt some day. But not yet.

That's part of the problem. My belief is this: If hackers can walk into our networks seemingly at will, so can al-Qaeda. But we're ignoring the fact that they aren't. They probably aren't because they want to cause broad destruction, not system downtime. The danger is real though.

At some point, we're going to run into this crossover point -- and I don't know when -- but we will be sufficiently connected that a person could kind of be electronically "killed."
I think it will start personal. That will be the warning sign. When you start hearing that there's been a transition from identity theft to identity destruction, then we'll have cyber-terrorism. If someone cannot just steal an identity and mess up a credit rating, but can erase an identity, destroy it, then we'll be confronted with cyber-terrorism as a real threat.

Marcus J. Ranum is a world-known expert on security system design and inventor of the proxy firewall. Contact him at mjr@ranum.com.

Comment at tcumagazine@tcu.edu.