Letter The polemic surrounding Thomas C. Greene's recent review of Dan Verton's Black Ice: The Invisible Threat of Cyber-Terrorism continues unabated.
The following is a letter from Jay G. Heiser, columnist for Information Security magazine and occasional Register contributor. It is published in full:
Dan Verton is apparently not satisfied just to demonise al-Qaeda. He also feels the need to attack everyone who questions the basic premise upon which sales of his book depend. While I didn't think his sensationalised book was worthy of comment, let alone notice, I do take exception to his characterisation of my profession as being 'intellectually bankrupt'.
The unwillingness to accept cyber-terror as being a 'clear and present danger' is not due to 'a cultural reluctance to accept terrorist organizations as thinking enemies capable of adapting to the modern world.' His suggestion that those of us responsible for performing information security are bigots, tragically unable to think clearly about terrorism because we are trapped in outmoded ethnic stereotypes, is inaccurate and insulting.
Scepticism about both the significance and mitigation cost of any highly visible risk issue is always necessary and appropriate.
The aftermath of 9/11 has made it abundantly clear to anyone who has taken the effort to understand Risk Communications that human beings will inevitably overreact when confronted with a dramatic risk situation that they do not fully understand. ANY time that al-Qaeda is submitted as justifying a significant change in activity, we should reflect upon the benefits of having the junior Safety Patrol collect fingernail clippers and knitting needles (as if any plane full of passengers would ever again sit passively through another hijacking attempt).
For a risk management professional, one of the important lessons of 9/11 has been to watch out for the carpet baggers. It is literally a crime that so much unnecessary and inappropriate risk
mitigation work has been sold as a response to this galvanising event.
The very term 'homeland security' is a sacred cow that deserves heavy scrutiny. It's a marvellously polarising concept that immediately invokes 'Land of the Free, Home of the Brave' connotations, making it dangerously simple to mislead through assertions like "They are true patriots at a time when patriotism is under attack." This is manipulative at several levels, but let it suffice for me to counter that the true patriot is someone who is willing to tell the truth, even when it conflicts with the party line.
More important in this instance, it is not the case that Richard Clarke, one of the 'patriots' in question, is universally viewed within the information security community as having provided useful leadership. He may indeed have been well placed to 'know the truth about the various matters', but that is not the same thing as saying that his advice has been particularly useful. It is his suitability as a thought leader that was legitimately questioned, not his patriotism.
Verton is still unable to provide cogent or compelling evidence that the yet-to-be-demonstrated potential for cyber-terror requires some form of resource re-allocation. His arguments are little more sophisticated than 'something really bad happened once, those responsible are not all dead, something really bad will happen again, computers are good and we should expect bad things to happen to them.' His response is full of 'could be's and 'might will have been's, but it isn't compelling. This is the typical sort of Chicken Little rhetoric that has become all too common.
I've spent the last 5 years publicly urging the infosec field to stop with the hype, and to concentrate on real problems, so perhaps I'm over-sensitive when I find myself in a majority situation, agreeing with a high percentage of my peers that cyber-terror is not a priority for corporate risk managers. The IT world has plenty enough housecleaning to do already without the needless distraction of hypothetical infowars. As was demonstrated last year in both America and Britain, complex systems such as power grids can fail quite dramatically on their own, without being pushed over the edge by anti-globalist insurgents. The things that system designers and managers should be doing to ensure robust and stable infrastructure are things that will protect us equally from mistake and attack.
We don't need an exaggerated threat of terrorist attack to encourage us to make safer and better systems.
The future threat of cyber-terror is not significant in comparison to the current risk represented by either fraud or bugs. The home user, the office, and government decision makers are all tired of being warned about horrible new threats that never materialise, and this 'boy who cries wolf' backlash is making it increasingly difficult to make real reductions in risk. It is important that we do keep a weather eye on the horizon, watching for any significant indications that cyber-terror actually will appear. However, this is not the same thing as spending money today to make it less likely to occur in the future. The decision to put cyber-terror concerns on the back burner is one of the most well-informed ones made by the infosec community, and I question any other characterisation as being self-serving.
Jay G. Heiser
Columnist "Information Security" magazine
Cyber-terror drama skates on thin Black Ice
El Reg badly misguided on cyber-terror threat