wessman
August 27th, 2002, 04:57 PM
What are the real risks of cyberterrorism?
According to urban legend and movie thrillers, cyberterrorists
are plotting to bring down vital infrastructure systems. But
security experts are convinced the Internet's largest threat
is the ease of international communication and the ability to
hide among the seemingly infinite volume of traffic it carries.
Let's hope they are right in their assessment.
http://zdnet.com.com/2100-1105-955293.html
See also: Group promotes 'culture of security'
http://zdnet.com.com/2100-1105-955307.html
See also: E-terrorism--a News.com special report [registration required]
http://news.com.com/2009-1001-954728.html
==========
What are the real risks of cyberterrorism?
By Robert Lemos
Special to ZDNet
August 26, 2002, 6:23 AM PT
URL: http://zdnet.com.com/2100-1105-955293.html
In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 1 million.
There was just one problem with the account: It wasn't true.
A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any dams--leading investigators to conclude that no lives or property were ever threatened.
"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."
The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.
Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security experts--while careful not to dismiss the gravity of the issue--point to this indisputable fact: It is still easier to bomb a target than to hack a computer.
"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities...
==========
Group promotes 'culture of security'
By Sandeep Junnarkar
Special to ZDNet News
August 26, 2002, 7:16 AM PT
URL: http://zdnet.com.com/2100-1105-955314.html
In time for the first anniversary of the Sept. 11 attacks, the Organization for Economic Cooperation and Development has issued new guidelines for securing information systems and networks in anticipation of cyberterrorist attacks or intrusions.
The OECD, an international organization composed of governments from around the world and charged with tackling the challenges of a global economy, hopes to develop a "culture of security" among government and businesses that increasingly depend on network connections across national borders.
"Along with the incredible benefits we enjoy through (computer networks), there are inherent vulnerabilities that must be recognized and addressed by all who use computers, modems, the Internet, and networks," Orson Swindle, a member of the U.S. Federal Trade Commission who heads the U.S. delegation to the OECD, said in a statement. "The more we depend upon interconnected information systems and networks, the greater our vulnerability--unless we act prudently."
Since last year's attacks, in which hijacked jet airplanes slammed into the World Trade Center in New York and the Pentagon in Washington, D.C., there has been growing urgency to prepare for possible attacks on the Internet. Governments, businesses and law enforcement agencies around the world are rushing to fortify their systems in preparation for coordinated cyberattacks that they fear could halt economic activity or plunge emergency response networks into disarray.
The OECD's voluntary guidelines urge those depending on information technology to adhere to nine basic principles spanning such areas as security awareness and responsibilities. Those nine principles include the following:
• Risk Assessment: Conduct analyses to identify threats to and vulnerabilities in their information systems.
< • Response: Act in a timely and cooperative manner to prevent, detect and respond to security incidents.
• Ethics: Respect the legitimate interests of others and recognize that their action or inaction may harm others.
• Security design and implementation: Incorporate security as an essential element of information systems and networks.
• Security management: Adopt a comprehensive approach to security management.
• Reassessment: Review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures and practices.
The OECD said the suggestions are a product of a consensus among OECD member governments after lengthy discussions with experts in the information technology industry, business users and consumer advocates. These guidelines replace others first issued in 1992 as a basis for improving international coordination and cooperation to meet the evolving challenges and risks posed by threats to information systems and networks.
==========
By Robert Lemos, John Borland,
Lisa Bowman and Sandeep Junnarkar
Staff Writers, CNET News.com
August 26, 2002, 4:00 AM PT
Doomsday predictions of a "digital Pearl Harbor" have persisted in the year since the terrorist attacks of Sept. 11.
The specter was a driving force behind controversial new law enforcement measures portrayed as necessary by the government but decried by civil libertarians as an assault on constitutional rights to privacy. Yet security experts, network managers and public safety officials say privately that the threat of cyberterrorism has been overblown and misunderstood--and that physical attacks remain far easier to carry out.
As a result, government officials and industry leaders may have spent needless effort addressing an arguably nonexistent enemy at a time when all resources are needed to guard against more realistic dangers. In this three-day special report, CNET News.com reporters in New York, San Francisco and Washington examine the technological and political realities of this volatile issue....
:sw
According to urban legend and movie thrillers, cyberterrorists
are plotting to bring down vital infrastructure systems. But
security experts are convinced the Internet's largest threat
is the ease of international communication and the ability to
hide among the seemingly infinite volume of traffic it carries.
Let's hope they are right in their assessment.
http://zdnet.com.com/2100-1105-955293.html
See also: Group promotes 'culture of security'
http://zdnet.com.com/2100-1105-955307.html
See also: E-terrorism--a News.com special report [registration required]
http://news.com.com/2009-1001-954728.html
==========
What are the real risks of cyberterrorism?
By Robert Lemos
Special to ZDNet
August 26, 2002, 6:23 AM PT
URL: http://zdnet.com.com/2100-1105-955293.html
In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 1 million.
There was just one problem with the account: It wasn't true.
A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any dams--leading investigators to conclude that no lives or property were ever threatened.
"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."
The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.
Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security experts--while careful not to dismiss the gravity of the issue--point to this indisputable fact: It is still easier to bomb a target than to hack a computer.
"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities...
==========
Group promotes 'culture of security'
By Sandeep Junnarkar
Special to ZDNet News
August 26, 2002, 7:16 AM PT
URL: http://zdnet.com.com/2100-1105-955314.html
In time for the first anniversary of the Sept. 11 attacks, the Organization for Economic Cooperation and Development has issued new guidelines for securing information systems and networks in anticipation of cyberterrorist attacks or intrusions.
The OECD, an international organization composed of governments from around the world and charged with tackling the challenges of a global economy, hopes to develop a "culture of security" among government and businesses that increasingly depend on network connections across national borders.
"Along with the incredible benefits we enjoy through (computer networks), there are inherent vulnerabilities that must be recognized and addressed by all who use computers, modems, the Internet, and networks," Orson Swindle, a member of the U.S. Federal Trade Commission who heads the U.S. delegation to the OECD, said in a statement. "The more we depend upon interconnected information systems and networks, the greater our vulnerability--unless we act prudently."
Since last year's attacks, in which hijacked jet airplanes slammed into the World Trade Center in New York and the Pentagon in Washington, D.C., there has been growing urgency to prepare for possible attacks on the Internet. Governments, businesses and law enforcement agencies around the world are rushing to fortify their systems in preparation for coordinated cyberattacks that they fear could halt economic activity or plunge emergency response networks into disarray.
The OECD's voluntary guidelines urge those depending on information technology to adhere to nine basic principles spanning such areas as security awareness and responsibilities. Those nine principles include the following:
• Risk Assessment: Conduct analyses to identify threats to and vulnerabilities in their information systems.
< • Response: Act in a timely and cooperative manner to prevent, detect and respond to security incidents.
• Ethics: Respect the legitimate interests of others and recognize that their action or inaction may harm others.
• Security design and implementation: Incorporate security as an essential element of information systems and networks.
• Security management: Adopt a comprehensive approach to security management.
• Reassessment: Review and reassess the security of information systems and networks, and make appropriate modifications to security policies, measures and practices.
The OECD said the suggestions are a product of a consensus among OECD member governments after lengthy discussions with experts in the information technology industry, business users and consumer advocates. These guidelines replace others first issued in 1992 as a basis for improving international coordination and cooperation to meet the evolving challenges and risks posed by threats to information systems and networks.
==========
By Robert Lemos, John Borland,
Lisa Bowman and Sandeep Junnarkar
Staff Writers, CNET News.com
August 26, 2002, 4:00 AM PT
Doomsday predictions of a "digital Pearl Harbor" have persisted in the year since the terrorist attacks of Sept. 11.
The specter was a driving force behind controversial new law enforcement measures portrayed as necessary by the government but decried by civil libertarians as an assault on constitutional rights to privacy. Yet security experts, network managers and public safety officials say privately that the threat of cyberterrorism has been overblown and misunderstood--and that physical attacks remain far easier to carry out.
As a result, government officials and industry leaders may have spent needless effort addressing an arguably nonexistent enemy at a time when all resources are needed to guard against more realistic dangers. In this three-day special report, CNET News.com reporters in New York, San Francisco and Washington examine the technological and political realities of this volatile issue....
:sw