Schneier on Security
A blog covering security and security technology.
« A Pilot on Airline Security |
| Brian Snow on Security »
December 13, 2005
FBI Speaks Sense on Cyberterrorism
A surprising outbreak of reason:
Al Qaida and other terrorist groups are more sophisticated in their use of computers but still are unable to mount crippling internet-based attacks against US power grids, airports and other targets, the FBI's top cyber crime official said on Wednesday.
Here's a transcript of a debate on the topic. And this is my 2003 essay.
Posted on December 13, 2005 at 8:02 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Although it's a tangent to this, that first linked item has this nice detail buried at the bottom after the discussion about pursuing the author of the Sober worm.
-- Because that worm disguised itself as a message from the FBI, messages sent to invalid e-mail addresses were routed back to the FBI at a rate of 200,000 per hour.
-- "It almost killed our system," he said.
I've had this problem personally - some email malware "makes up" common email addresses once it finds a domain.
We'd have a lot less problems if filters were more careful about who they sent bounces to - particularly bounces based on detection of known infection attempts.
I think our security priorities are a little mixed up. Cyberterrorism at this point is fantasy not fact.
Radical, militants, insurgents, terrorist, nut jobs, etc...
I have read about them for YEARS;
Waco, OK, NYC, Iraq, Russia, Japan...
This picture (Sorry I don’t know how long the link will work): http://news.yahoo.com/photos/ss/1479/im:/051212/...
"An Iraqi man tries to help 12-year-old Laith Falah, lying next to a bicycle after his leg was blown off by a car bomb blast in Baghdad, Iraq, in this June 23, 2005, file photo. (AP Photo/Hadi Mizban/FILE) "
WHO CARES if the power goes out for a little while because of an "attack"? WHO CARES if the Internet goes does for a little while because of an "attack".
REAL PEOPLE are getting BLOWN up.
I think our security priorities are a little mixed up.
Is there any arguement that would justify spending resources on cyberterrorism while people are still getting blown up daily?
Here's a reason: Those doing the "blowing up" are financing themselves through cybercrime. By stopping crimes online, you are stopping funds going to terrorist attacks. Doing so has the added bonus of protecting companies and individuals from losing money to theft.
Maybe if the CIA and FBI published SPF records, this virus would have had less impact.
I went looking for references to support your claim that cybercrime is being used to finance terrorism. There were few references to it - looking against financing of terrorism, the suggestions are that most of the funding is now private or state.
Cybercrime appears to be increasingly perpetrated by criminals - who want the money for themselves, not to give away.
Can you suggest some references for this point?
I completely agree! Cyber-criminals log out of their machines and then go blow themselves up...whatever.
By that logic shouldnt we be encourageing cybercrime so they can blow themselves up faster?!?
MY POINT: There are much more serious security concerns than software and systems right now.
Those security concerns should be addressed first with ALL of our resources.
Once we get to the point were we no longer need Elite Special Forces in our own major cities the focus should switch back to the non immediate threats.
even a broken clock tells the correct time twice a day.
the problem is working when its telling the right time.
There is a phrase which describes the mindset of focusing only on what is viewed as the principle threat of the moment. That phrase is "failure of imagination" When we focus exclusively on what the attacker is doing today, we are left flat-footed when they change tactics. With something as bulky and unweildy as the federal government, the idea that we can shift focus to deal with new threats as they arise is simply unworkable; we must keep our fingers in a few different pies to be aware.
"There is a phrase which describes the mindset of focusing only on what is viewed as the principle threat of the moment. That phrase is 'failure of imagination.'"
I think of it more as an overactive imagination -- imagining far more details and far more reality than there really is -- so I like the phrase "movie-plot threat."
"There is a phrase ... 'failure of imagination.'"
"I think of it more as an overactive imagination ... so I like the phrase 'movie-plot threat.'"
I think you're both right.
Well, I was thinking of only one specific example, Imam Samudra:
However, many are worrying that more terrorists will resort to cybercrime:
So, although terrorists raising money through cybercrime is not be a large threat now, it may be a good idea to prevent this becoming so in the future. Like I said earlier, reducing cybercrime has benefits to society that aren't related to terrorism (it prevents people and companies from being victims of theft, terrorist-motivated or otherwise), and that's a good thing. I think this is one of the ideas that Bruce likes to promote.
``However, many are worrying that more terrorists will resort to cybercrime" [link]'
Let's remember, the director of research at SANS has a great deal to benefit from `many worrying' about cybercrime.
I'm not trying to say that Alan Paller is or isn't just fearmongering. The fact that many worry has nothing to do with whether there is actually a reason to worry.
They protest too specifically. Al Qa'eda doesn't need to target government-controlled infrastructure to inflict "economic terror" and cost the US economy billions to trillions of dollars. Just write a Windows worm that takes advantage of the latest or undisclosed vulnerability, propagates, waits a short time (SQL Slammer needed 15 minutes to spread, IIRC) and starts deleting data. Wall Street backs up. Most small and medium businesses don't [effectively]. At a minimum they're all in for costs of reloading, restoring, and downtime.
That Al Qa'eda hasn't done this must speak to motive. I'm sure there's a capable programmer somewhere in the world sympathetic to Al Qa'eda and technically speaking it's not a terribly difficult assignment. And they're not all mulla-mulla-mulla stupid either. So, I contend they could do it if they wanted to. Which means they don't, so we can take some comfort there.
Throwing "ALL our resources" at a specific issue (terrorists blowing themselves up in shopping malls, poverty, manned spaceflight to Mars, people delinquent in child support payments, spammers) is not realistic. No matter how important you think your hot-button issue is, someone else will think there is another one out there at a higher priority.
I agree. I think both "failure of imagination" and "movie-plot threat" are different aspects of the same mindset -- basically, we are good at fighting the last war, not so good at being ready for the next.
The fact that the FBI looked at this "movie plot threat" and has determined the actual threat is negligible at this time means they are doing their job. It doesn't mean we can ignore the security of our infrastructure -- it just means we can allocate the resources used to deal with "squeaky wheels" to other squeaky wheels.
I've been saying this for years, even writing a paper for one of my masters classes.Terrorists need the Internet up and running just as much as we do.
Recruitment and support, communication, intelligence-gathering, and force multiplication are all realistic operational capabilities when looking at how terrorist and other non-state actors implement information warfare strategies.
We can thank Richard Clarke for his paranoia.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.