Another case of security by denial
- — 09 December, 2003 09:20
Large consultancies are paid a lot of money to provide companies with information to help them run their businesses. But sometimes the statements issuing forth from these consultancies has me questioning their value to users.
Last month at the Gartner Symposium and IT Expo in Sydney, Australia, Rich Mogull, Gartner Inc.'s director of information security and risk research, declared that cyberterrorism is mainly a theory. He said we should "stop running around being scared about these esoteric threats out there. Let's look at protecting ourselves by closing the vulnerabilities we know exist and protecting ourselves from the attacks that we know exist."
Of course we all should be doing the day-to-day diligence of patches, upgrades and monitoring. However, in contrast to Mogull, I contend that we should not be worried about the threats we know about; we should worry about those we don't know about.
Cyberterrorism is not a theory: It is a fact of the future, and that future could be one day, one month or three years out. Today's biggest cyberterrorism threats come from three places:
-- Trusted insiders about whom we know next to nothing yet have root control over critical infrastructure operations.
-- The "weaponization" of otherwise benign technology.
-- Advisers who live by the "security by denial" axiom.
In my 1993 book Information Warfare, I said cyberterrorists' motivations are immaterial; what's important is their capabilities. Further, I argued that Class 1 Information Warfare (personal) was an emerging threat that now has become a multibillion-dollar epidemic, primarily in the area of identity theft. That was theory back then, and now it is fact. Class 2 Information Warfare (industrial espionage and criminal acts) is the second level to have graduated from theory to fact.
One simple argument to remember is: Why would the bad guys not use available technology in their endeavors? The answer -- not theory -- is that they have adopted the very technologies that Mogull seems to suggest we relegate to a theoretical junk heap.
Class 3 Information Warfare (cyberterrorism) involves powerful religio-, narco- and politico-terrorists attacking significant portions of the infrastructure. When I spoke to the Joint Chiefs of Staff a couple of years ago, they did not like hearing me say, "Generals, you are no longer in command of your armies," or the politically incorrect, "Why are foreign nationals running significant portions of the military's force projection systems?" But they did something about it.
If a hospital's patients records are altered and a number of people die from inaccurate prescriptions, is that terrorism, and will the lawyers sue the equally victimized doctors? Before Sept. 11, a centuries-old bank was sold for pennies to a national competitor because of the sheer incompetence of an insider. Or was it a well-laid plan that post-9/11 could be considered terrorism?
My biggest problem with Mogull's statements is that they imply we live in a world in which logic more than a decade old still applies. The world is too dangerous and dynamic for us to be fixated on preconceived notions. For us to plan only for that which we absolutely know is a threat is a clear prescription for failure. What about organizations that are implementing wireless infrastructure? Are they preparing a defense for when weapons such as high-energy radio frequency guns, which use high-power radio signals to disable and potentially destroy targets that use electronic circuits -- such as corporate networks and airplanes -- become mainstream? Or are they taking Mogull's short-sighted advice?
If he dismisses capability vs. motivation as our only indicator of future acts, then we all will suffer the consequences. But then again, that is only a theory.