El Reg badly misguided on cyber-terror threat
Black Ice author Dan Verton sorts us out
Our recent, negative review of Black Ice: The Invisible Threat of Cyber-Terrorism by Dan Verton drew a good deal of reader mail, including a request by the author to debate the issues raised in our article, and his book.
When Verton invited us via e-mail to "do a Q&A to give me the chance to refute the ridiculous claims you make in your review of my book," well, we couldn't possibly refuse. It was agreed that El Reg would ask the questions, and Verton would answer, thereby enjoying the last word. Herewith our exchange, edited very lightly:
El Reg: You indicate that cyber-terror skeptics have their heads in the sand, that they're ignoring signs of a growing interest among terror outfits in infrastructure attacks. But where's the evidence of this? A few laptops may have been seized with evidence of some limited research along these lines, but that's hardly the same as a plan. So far as I know, there has never been any evidence of a coherent plan or the financial backing needed to attempt anything along those lines. Am I mistaken?
Verton: Yes, you are mistaken. The evidence that you are looking for and that the skeptics are looking for is not the only evidence that exists. You cannot map terrorist threats to vulnerabilities without a solid understanding of the evolutionary nature of international terrorism and the strategic, long-term goals of groups like al-Qaeda. By studying what they are trying to do and then combining that with the indications and warnings surrounding both their low-level actions (i.e. evidence that they have been studying SCADA systems in U.S. critical infrastructures) and their public statements, one can extrapolate a future capability roadmap. Not to do that would be to repeat the failures of 9/11.
El Reg: Why would a terror outfit attempt an infrastructure attack per se. I can see how one could intensify a physical attack against a population, and I accept that it's something to worry about - knocking out local communications to hamper rescue efforts, say. But communications are very parallel: you might knock out a system that rescuers use; but you can't take out PSTN, cellular, Internet, TV and radio, all at once. An infrastructure attack per se is tremendously expensive in terms of finances, as well as planning, coordination and execution. The same investment in suicide bombings would produce a shocking body count. I doubt there's enough 'bang for the buck' in an infrastructure attack, and I doubt one will be pursued seriously for that reason. I believe that if a terror outfit should research this thoroughly - really do their homework - they'll conclude the same: that it's a waste of their resources. Why do you think that's wrong? What evidence can you cite?
Verton: Again, you are assuming that international terrorism is a static phenomenon that is incapable or unwilling to adapt to the realities of the modern world. Your question also implies that tomorrow's terrorist will look like and act like today's terrorist. That's a classic case of underestimating one's enemy. You also wrongly assume that such an attack would be more costly and more difficult to plan and execute. The investment required for a highly targeted attack is minimal, compared to a car bomb and the payoff is potentially just as great in monetary terms. However, you are correct in your assumption that to significantly damage the whole of the infrastructure probably falls outside of the capabilities of terrorist groups. And depending on what infrastructure we are talking about, there is also the possibility of impacting public safety. The evidence is in the writings and the public statements of al-Qaeda members and supporters who have clearly shown an intense interest in damaging the economy of the "capitalist" states. I outline who these individuals are and what they have said and done in Black Ice. You should go back and read that section again more carefully.
El Reg: People have talked about the possibility of attacking the Internet to interrupt commerce. But isn't there a paradox? If you use the Net as a weapon, but at the same time attack it, you're throwing sand in the equipment you're using. There are weaknesses in BGP and DNS that could be exploited, but by damaging the system, you're also cutting yourself off from it. Again, I believe a terror outfit would realize this if they researched it carefully, and conclude that it's not feasible to mount a sustained cyber-attack that would interrupt the Net across a broad area for any significant time. Why should I believe otherwise?
Verton: Your question assumes that terrorists are interested in a sustained, multi-infrastructure attack in cyberspace. But we know that groups such as al-Qaeda are very patient with their planning and very deliberate about their target selection. Therefore, your question misses a very important support mechanism in guerilla warfare: using highly targeted cyber attacks or physical attacks against key cyber infrastructures as a force multiplier for traditional terrorist operations. You've accused me of making dire predictions with no evidence. I'm now accusing you of making wild assumptions about our terrorist enemies that are designed to make them fit your understanding of what terrorism is and what their goals are. And I'm also saying that your assumptions and your understanding of international terrorism is completely wrong.
El Reg: Why shouldn't I be suspicious of the bureaucrats you quote in your book? Isn't cyber-terror an ideal mechanism for attracting homeland security pork? The technology is complicated and not well understood by the public, or members of Congress for that matter. It's easy to frighten people when they lack the technical savvy to evaluate these claims for themselves. Where is the evidence that cyber-terror is anything more than a scary story to enrich security vendors and increase federal security budgets?
Verton: I don't quote bureaucrats. I quote highly-respected, long-standing professionals who have been in positions to know the truth about the various matters covered in the book. By naming Richard Clarke and Howard Schmidt, as you did in your review of my book, referring to them as "paranoid bureaucrats" and then implying that they and others would purposely spread disinformation to cash in on the homeland security pork, is to do what many do when they're on the losing end of a debate, and that's to engage in the politics of personal destruction. Are there bureaucrats who engage in this kind of behavior? Of course there are. But neither Clarke nor Schmidt are among them. And I say that knowing both of those men personally. They are true patriots at a time when patriotism is under attack.
So there you have it: there seems to be little common ground between skeptic and believer. We leave it to the wisdom of our readers to decide which way to lean in the debate. ®
Editors' note: Following the above dialogue, Dan Verton sent us a piece, suggesting that this might be a more appropriate response to Tom Greene's original review of his book. This is not, unhappily, our considered opinion; we feel that Tom's review was and is a measured and rational examination of the subject, and see no reason for amendment or retraction. Equally, we are happy to publish Dan's viewpoint:
A Feb. 25 review of my book, Black Ice: The Invisible Threat of Cyber-Terrorism, by The Register’s Thomas Greene, claimed that my work failed to realize that "at its core, terror is about sudden and violent death, not inconvenience."
I couldn’t have asked for better support for what is actually the central thesis of Black Ice: the complete lack of sophisticated thinking on the part of the high-tech community about the evolution and future of international terrorism.
The true face of al-Qaeda and other international terrorist organizations is one that few Americans, especially some "thought leaders" in the information security community, have come to appreciate and accept. It is a picture of a thinking and technologically sophisticated enemy that values formal training and education, and that understands the critical role that information technology plays in the day-to-day operations of America's economy and national security.
Those in the information security community -- primarily technologists – who assert that terrorism is only about terror lack a sophisticated understanding of the strategic goals of international terrorist organizations. Their assertion is based on a predilection to view homeland security through an antiseptic, mathematical lens. International terrorism, on the other hand, is a multi-faceted phenomenon that has long-term, strategic goals that go far beyond mere death and destruction. Anybody who has read the history of the French Revolution, during which the term terror was coined, knows that terrorism has never only been about terror.
Specifically, groups such as al-Qaeda understand the need to strike at America's economy as a means to curtail American military action overseas and to reverse U.S. political support for Israel. To ignore this fact is to ignore the evolutionary nature of terrorist tactics and to appease those who would like to think that all terrorists are, and will forever remain, a mindless horde of thugs living a hand-to-mouth existence in caves in Afghanistan.
The security appeasers want to ignore the facts: al-Qaeda's history of studying the use of modern technologies and its reliance on operatives with degrees in engineering; laptop computers seized around the world that contained evidence of al-Qaeda's interest in the computer systems that control the electric power grid in the U.S. and other critical infrastructures; the continued radicalization of young people who are studying mathematics, computer science and engineering; and the statements by Osama bin Laden and other radical Islamic clerics outlining the usefulness of attacks against the "technical systems" of large companies and the stock market.
A large part of the intellectual inflexibility surrounding the IT security community's reluctance to accept cyber-terrorism as a clear and present danger (not to mention the broader concept of cyber-terrorism as a physical phenomenon) is a cultural reluctance to accept terrorist organizations as thinking enemies capable of adapting to the modern world. Such intellectual rigidity also stems from a lack of understanding of the strategic goals of groups such as al-Qaeda and why attacks against critical cyber infrastructures support those goals.
This is not to say, however, that mass casualty attacks no longer play a role in global terrorism. What most observers fail to recognize is that fear and uncertainty are central themes of cyber-terrorism. Attacks on the financial infrastructure can create uncertainty and loss of confidence. Digital attacks on water systems that cause dangerous levels of chlorine to be released into drinking water can create fear in people who once felt secure from such remote enemies. The potential scenarios are endless, but all are economic in nature.
But perhaps the most dangerous example of the IT security community's intellectual bankruptcy is the refusal to recognize that tomorrow's terrorist threat will not necessarily look and act like today's terrorist threat. In addition to the radical elements within the Pakistani Directorate for Inter-Services Intelligence (ISI), one can find future cyber-terrorists in the thousands of young Muslim children are often fed a daily dose of hatred for America along with their studies in computer science, mathematics and engineering. In addition, one could also find ample evidence of bin Laden's computer hackers throughout the growing community of unemployed Russian scientists; or within organized crime syndicates in Russia, Malaysia, Italy, China, Japan, Columbia, or Mexico.
But how long must we wait for the IT security community to start thinking about and preparing for this threat? Will we have to wait another eight years, as we did prior to Sept. 11, 2001 when the first clear signs emerged that al-Qaeda was studying the use of commercial airliners as precision strike weapons? If we continue to listen to those in the IT security community who continue to prop-up an outdated understanding of international terrorism, we will once again be caught by surprise because we will have put our fate in the hands of people who are ignorant to the tectonic shifts of modern international terrorism.
To not accept the evolving nature of the terrorist threat is to simply wish it away. And hope is not a sound basis for a critical infrastructure protection policy in the 21st century.