Feeds

Verton slips on Black Ice

Oi! Watch it with the intellectually bankrupt

  • alert
  • submit to reddit

Build a business case: developing custom apps

Letter The polemic surrounding Thomas C. Greene's recent review of Dan Verton's Black Ice: The Invisible Threat of Cyber-Terrorism continues unabated.

The following is a letter from Jay G. Heiser, columnist for Information Security magazine and occasional Register contributor. It is published in full:



Dan Verton is apparently not satisfied just to demonise al-Qaeda. He also feels the need to attack everyone who questions the basic premise upon which sales of his book depend. While I didn't think his sensationalised book was worthy of comment, let alone notice, I do take exception to his characterisation of my profession as being 'intellectually bankrupt'.



The unwillingness to accept cyber-terror as being a 'clear and present danger' is not due to 'a cultural reluctance to accept terrorist organizations as thinking enemies capable of adapting to the modern world.' His suggestion that those of us responsible for performing information security are bigots, tragically unable to think clearly about terrorism because we are trapped in outmoded ethnic stereotypes, is inaccurate and insulting.

Scepticism about both the significance and mitigation cost of any highly visible risk issue is always necessary and appropriate.

The aftermath of 9/11 has made it abundantly clear to anyone who has taken the effort to understand Risk Communications that human beings will inevitably overreact when confronted with a dramatic risk situation that they do not fully understand. ANY time that al-Qaeda is submitted as justifying a significant change in activity, we should reflect upon the benefits of having the junior Safety Patrol collect fingernail clippers and knitting needles (as if any plane full of passengers would ever again sit passively through another hijacking attempt).

For a risk management professional, one of the important lessons of 9/11 has been to watch out for the carpet baggers. It is literally a crime that so much unnecessary and inappropriate risk
mitigation work has been sold as a response to this galvanising event.

The very term 'homeland security' is a sacred cow that deserves heavy scrutiny. It's a marvellously polarising concept that immediately invokes 'Land of the Free, Home of the Brave' connotations, making it dangerously simple to mislead through assertions like "They are true patriots at a time when patriotism is under attack." This is manipulative at several levels, but let it suffice for me to counter that the true patriot is someone who is willing to tell the truth, even when it conflicts with the party line.

More important in this instance, it is not the case that Richard Clarke, one of the 'patriots' in question, is universally viewed within the information security community as having provided useful leadership. He may indeed have been well placed to 'know the truth about the various matters', but that is not the same thing as saying that his advice has been particularly useful. It is his suitability as a thought leader that was legitimately questioned, not his patriotism.

Verton is still unable to provide cogent or compelling evidence that the yet-to-be-demonstrated potential for cyber-terror requires some form of resource re-allocation. His arguments are little more sophisticated than 'something really bad happened once, those responsible are not all dead, something really bad will happen again, computers are good and we should expect bad things to happen to them.' His response is full of 'could be's and 'might will have been's, but it isn't compelling. This is the typical sort of Chicken Little rhetoric that has become all too common.

I've spent the last 5 years publicly urging the infosec field to stop with the hype, and to concentrate on real problems, so perhaps I'm over-sensitive when I find myself in a majority situation, agreeing with a high percentage of my peers that cyber-terror is not a priority for corporate risk managers. The IT world has plenty enough housecleaning to do already without the needless distraction of hypothetical infowars. As was demonstrated last year in both America and Britain, complex systems such as power grids can fail quite dramatically on their own, without being pushed over the edge by anti-globalist insurgents. The things that system designers and managers should be doing to ensure robust and stable infrastructure are things that will protect us equally from mistake and attack.

We don't need an exaggerated threat of terrorist attack to encourage us to make safer and better systems.

The future threat of cyber-terror is not significant in comparison to the current risk represented by either fraud or bugs. The home user, the office, and government decision makers are all tired of being warned about horrible new threats that never materialise, and this 'boy who cries wolf' backlash is making it increasingly difficult to make real reductions in risk. It is important that we do keep a weather eye on the horizon, watching for any significant indications that cyber-terror actually will appear. However, this is not the same thing as spending money today to make it less likely to occur in the future. The decision to put cyber-terror concerns on the back burner is one of the most well-informed ones made by the infosec community, and I question any other characterisation as being self-serving.

Jay G. Heiser
Columnist "Information Security" magazine



Related stories
Cyber-terror drama skates on thin Black Ice
El Reg badly misguided on cyber-terror threat

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.