Feeds

Verton slips on Black Ice

Oi! Watch it with the intellectually bankrupt

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Letter The polemic surrounding Thomas C. Greene's recent review of Dan Verton's Black Ice: The Invisible Threat of Cyber-Terrorism continues unabated.

The following is a letter from Jay G. Heiser, columnist for Information Security magazine and occasional Register contributor. It is published in full:



Dan Verton is apparently not satisfied just to demonise al-Qaeda. He also feels the need to attack everyone who questions the basic premise upon which sales of his book depend. While I didn't think his sensationalised book was worthy of comment, let alone notice, I do take exception to his characterisation of my profession as being 'intellectually bankrupt'.



The unwillingness to accept cyber-terror as being a 'clear and present danger' is not due to 'a cultural reluctance to accept terrorist organizations as thinking enemies capable of adapting to the modern world.' His suggestion that those of us responsible for performing information security are bigots, tragically unable to think clearly about terrorism because we are trapped in outmoded ethnic stereotypes, is inaccurate and insulting.

Scepticism about both the significance and mitigation cost of any highly visible risk issue is always necessary and appropriate.

The aftermath of 9/11 has made it abundantly clear to anyone who has taken the effort to understand Risk Communications that human beings will inevitably overreact when confronted with a dramatic risk situation that they do not fully understand. ANY time that al-Qaeda is submitted as justifying a significant change in activity, we should reflect upon the benefits of having the junior Safety Patrol collect fingernail clippers and knitting needles (as if any plane full of passengers would ever again sit passively through another hijacking attempt).

For a risk management professional, one of the important lessons of 9/11 has been to watch out for the carpet baggers. It is literally a crime that so much unnecessary and inappropriate risk
mitigation work has been sold as a response to this galvanising event.

The very term 'homeland security' is a sacred cow that deserves heavy scrutiny. It's a marvellously polarising concept that immediately invokes 'Land of the Free, Home of the Brave' connotations, making it dangerously simple to mislead through assertions like "They are true patriots at a time when patriotism is under attack." This is manipulative at several levels, but let it suffice for me to counter that the true patriot is someone who is willing to tell the truth, even when it conflicts with the party line.

More important in this instance, it is not the case that Richard Clarke, one of the 'patriots' in question, is universally viewed within the information security community as having provided useful leadership. He may indeed have been well placed to 'know the truth about the various matters', but that is not the same thing as saying that his advice has been particularly useful. It is his suitability as a thought leader that was legitimately questioned, not his patriotism.

Verton is still unable to provide cogent or compelling evidence that the yet-to-be-demonstrated potential for cyber-terror requires some form of resource re-allocation. His arguments are little more sophisticated than 'something really bad happened once, those responsible are not all dead, something really bad will happen again, computers are good and we should expect bad things to happen to them.' His response is full of 'could be's and 'might will have been's, but it isn't compelling. This is the typical sort of Chicken Little rhetoric that has become all too common.

I've spent the last 5 years publicly urging the infosec field to stop with the hype, and to concentrate on real problems, so perhaps I'm over-sensitive when I find myself in a majority situation, agreeing with a high percentage of my peers that cyber-terror is not a priority for corporate risk managers. The IT world has plenty enough housecleaning to do already without the needless distraction of hypothetical infowars. As was demonstrated last year in both America and Britain, complex systems such as power grids can fail quite dramatically on their own, without being pushed over the edge by anti-globalist insurgents. The things that system designers and managers should be doing to ensure robust and stable infrastructure are things that will protect us equally from mistake and attack.

We don't need an exaggerated threat of terrorist attack to encourage us to make safer and better systems.

The future threat of cyber-terror is not significant in comparison to the current risk represented by either fraud or bugs. The home user, the office, and government decision makers are all tired of being warned about horrible new threats that never materialise, and this 'boy who cries wolf' backlash is making it increasingly difficult to make real reductions in risk. It is important that we do keep a weather eye on the horizon, watching for any significant indications that cyber-terror actually will appear. However, this is not the same thing as spending money today to make it less likely to occur in the future. The decision to put cyber-terror concerns on the back burner is one of the most well-informed ones made by the infosec community, and I question any other characterisation as being self-serving.

Jay G. Heiser
Columnist "Information Security" magazine



Related stories
Cyber-terror drama skates on thin Black Ice
El Reg badly misguided on cyber-terror threat

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.