Feeds

Verton slips on Black Ice

Oi! Watch it with the intellectually bankrupt

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Letter The polemic surrounding Thomas C. Greene's recent review of Dan Verton's Black Ice: The Invisible Threat of Cyber-Terrorism continues unabated.

The following is a letter from Jay G. Heiser, columnist for Information Security magazine and occasional Register contributor. It is published in full:



Dan Verton is apparently not satisfied just to demonise al-Qaeda. He also feels the need to attack everyone who questions the basic premise upon which sales of his book depend. While I didn't think his sensationalised book was worthy of comment, let alone notice, I do take exception to his characterisation of my profession as being 'intellectually bankrupt'.



The unwillingness to accept cyber-terror as being a 'clear and present danger' is not due to 'a cultural reluctance to accept terrorist organizations as thinking enemies capable of adapting to the modern world.' His suggestion that those of us responsible for performing information security are bigots, tragically unable to think clearly about terrorism because we are trapped in outmoded ethnic stereotypes, is inaccurate and insulting.

Scepticism about both the significance and mitigation cost of any highly visible risk issue is always necessary and appropriate.

The aftermath of 9/11 has made it abundantly clear to anyone who has taken the effort to understand Risk Communications that human beings will inevitably overreact when confronted with a dramatic risk situation that they do not fully understand. ANY time that al-Qaeda is submitted as justifying a significant change in activity, we should reflect upon the benefits of having the junior Safety Patrol collect fingernail clippers and knitting needles (as if any plane full of passengers would ever again sit passively through another hijacking attempt).

For a risk management professional, one of the important lessons of 9/11 has been to watch out for the carpet baggers. It is literally a crime that so much unnecessary and inappropriate risk
mitigation work has been sold as a response to this galvanising event.

The very term 'homeland security' is a sacred cow that deserves heavy scrutiny. It's a marvellously polarising concept that immediately invokes 'Land of the Free, Home of the Brave' connotations, making it dangerously simple to mislead through assertions like "They are true patriots at a time when patriotism is under attack." This is manipulative at several levels, but let it suffice for me to counter that the true patriot is someone who is willing to tell the truth, even when it conflicts with the party line.

More important in this instance, it is not the case that Richard Clarke, one of the 'patriots' in question, is universally viewed within the information security community as having provided useful leadership. He may indeed have been well placed to 'know the truth about the various matters', but that is not the same thing as saying that his advice has been particularly useful. It is his suitability as a thought leader that was legitimately questioned, not his patriotism.

Verton is still unable to provide cogent or compelling evidence that the yet-to-be-demonstrated potential for cyber-terror requires some form of resource re-allocation. His arguments are little more sophisticated than 'something really bad happened once, those responsible are not all dead, something really bad will happen again, computers are good and we should expect bad things to happen to them.' His response is full of 'could be's and 'might will have been's, but it isn't compelling. This is the typical sort of Chicken Little rhetoric that has become all too common.

I've spent the last 5 years publicly urging the infosec field to stop with the hype, and to concentrate on real problems, so perhaps I'm over-sensitive when I find myself in a majority situation, agreeing with a high percentage of my peers that cyber-terror is not a priority for corporate risk managers. The IT world has plenty enough housecleaning to do already without the needless distraction of hypothetical infowars. As was demonstrated last year in both America and Britain, complex systems such as power grids can fail quite dramatically on their own, without being pushed over the edge by anti-globalist insurgents. The things that system designers and managers should be doing to ensure robust and stable infrastructure are things that will protect us equally from mistake and attack.

We don't need an exaggerated threat of terrorist attack to encourage us to make safer and better systems.

The future threat of cyber-terror is not significant in comparison to the current risk represented by either fraud or bugs. The home user, the office, and government decision makers are all tired of being warned about horrible new threats that never materialise, and this 'boy who cries wolf' backlash is making it increasingly difficult to make real reductions in risk. It is important that we do keep a weather eye on the horizon, watching for any significant indications that cyber-terror actually will appear. However, this is not the same thing as spending money today to make it less likely to occur in the future. The decision to put cyber-terror concerns on the back burner is one of the most well-informed ones made by the infosec community, and I question any other characterisation as being self-serving.

Jay G. Heiser
Columnist "Information Security" magazine



Related stories
Cyber-terror drama skates on thin Black Ice
El Reg badly misguided on cyber-terror threat

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.