Are you under 30? If so, jokes former National Security Advisor Anthony Lake in his book "Six Nightmares," chances are you have enough technical know-how to be a cyber-threat. And if you don't, says Lake, you can find everything you need, including cyber-attack tools and their instruction manuals, on the Internet. Armed with these tools, "millions of computer-savvy individuals could wreak havoc against the United States."
Lake isn't the only policy wonk warning us of our own vulnerability. On March 22, National Security Advisor Condoleezza Rice and Richard Clarke, who heads U.S. counter-terrorism efforts, issued a warning against computer attacks that could disrupt vital services in the United States. "It is a paradox of our times," said Rice, "that the very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."
But vulnerable to what? If the alarmists are right, we have some terrifying scenarios ahead of us: large-scale attacks on critical infrastructure such as the food supply, emergency services, government agencies, power grids, communication systems, air traffic control and financial systems. Lake, whose chapter "e-Terror, e-Crime" is a veritable case study in cyber-attack alarmism, worries that cyber-attackers could crash planes; tamper with food or medicines to poison populations; or disrupt the economy by shutting down electrical and communication systems. "The genie is well outside the bottle," he claims, now that attackers have jammed 911 lines in Miami, overwhelmed the e-mail system at an Air Force base and infiltrated an unclassified Pentagon computer.
To an extent, their fears are legitimate. In the last 20 years, the number of people with computer skills has grown dramatically; there are thousands of computer viruses and hundreds of millions of potential targets. An Associated Press story on Rice's announcement cited $400 million in financial losses due to computer attacks over the last year. But just because there are plenty of cyber-savvy individuals out there doesn't mean that the attacks we're likely to face are going to be as damaging as Lake and others fear. And no one among them is offering a careful analysis of what the threat may be and where it will come from.
Part of the problem is that Lake and other alarmists don't distinguish between the resources it takes to cause an expensive nuisance -- like last year's denial-of-service attacks on Yahoo and eBay -- and the skills, time and access one needs to create a devastating attack, like crashing an airplane. In "Six Nightmares," Lake doesn't consider the checks that protect infrastructure from such threats. He also fails to ask an obvious question: If there are so many malicious hackers at work (19 million, by Lake's count), why have their attacks been, by and large, fairly innocuous?
"Certainly the large majority of attacks demonstrate no more than script-kiddie skill level," says Tim Shimeall, a senior member of the technical staff with the CERT Analysis Center, a center for Internet security at Carnegie Mellon University.
Script kiddies, or unskilled criminal programmers, perform simple exploits against underprotected systems using software tools and instructions created by skilled programmers. They take a tool and run it against multiple targets, hoping to hit one of them. These tools can crack passwords, steal files, install malicious software in a target or cause a denial-of-service attack, but are unlikely to cause large-scale damage. "Script kiddies are getting their clickers on more sophisticated tools, but they have little ability to do more than launch them," says John Arquilla, associate professor of information technology at the Naval Postgraduate School in Monterey, Calif.
Tools like these don't automate large-scale attacks on critical infrastructure as much as reproduce attacks that more proficient troublemakers have carried out in the past. And so what expert cyber-terrorists don't do routinely -- widespread attacks on the electrical grid, for instance -- just isn't an option for the vast majority of maliciously minded delinquents.
Major acts of cyber-terrorism are considerably more difficult than Lake and other alarmists suggest. Many tools -- which are usually designed to attack popular operating systems and common network protocols -- don't work against some critical infrastructures which run on proprietary operating systems and protocols. Moreover, a new attack tool can lose potency within weeks as patches for the newfound vulnerability are created and applied by alert system administrators. Challenges like these are enough to knock most script kiddies out of the running. Large-scale destruction requires the ability to create or modify tools, or to know how to use combinations of tools. The vast majority of script kiddies just don't have those skills.
"To carry out a large-scale attack against critical infrastructure requires significant expertise," says Edward Felten, director of the Secure Internet Programming Lab at Princeton University. A December 1999 study from the Naval Postgraduate School, "Cyberterror: Prospects and Implications," elaborates on the sort of expertise that might be necessary to execute attacks such as a "sustained total interruption of some component of the national critical infrastructure across a substantial customer base." Attackers would likely need sophisticated programming skills as well as mastery of operating systems, network and computer architectures, and security measures. They would need time to fully analyze a target system, which may require insider knowledge. They may also need organizational skills to employ multiple simultaneous attacks from different locations.
A major cyber-attack takes skill and motive and so far, says Frank Cilluffo, an editor of "Cybercrime, Cyberterrorism, Cyberwarfare," "we haven't yet seen the marriage of the intent with the capability."
Lake believes that malicious hackers, or "crackers," could wreak havoc against the United States just for the challenge of it, or to gain prestige among their peers. But is this sufficient motivation (especially given the criminal penalties) for real destruction? Arquilla confirms that there have been instances when hackers were in a position to do enormous damage and chose not to. He notes that most hackers are looking for an intellectual challenge and their interests are served better by a healthy information infrastructure than a broken one.
Terrorists -- those with ample political motivation to carry out such an attack -- are hindered by a lack of skills. According to the Naval Postgraduate School study, large-scale acts by foreign terrorist groups are likely a thing of the future since it takes a while to develop the skill set necessary for such attacks. Purchasing outside expertise is a possibility, but doing so introduces security risks for the terrorist group.
When and if they do strike, cyber-attackers will find many of their targets well guarded. Critical infrastructure systems are not sitting ducks, waiting to be taken out by a skilled and motivated attacker. Most systems have elaborate security measures in place, which may not be foolproof, but do provide a measure of security. For starters, critical infrastructure systems often have limited connections to external networks, making them less susceptible to attack than more open systems. Humans are also monitoring systems more closely than they used to, which means that strange behavior is more likely to be noticed quickly. Non-human checks tend to be effective too: Banks back up their transactions daily and store the information offline.
Lake and other alarmists consistently ignore these and other countermeasures against cyber-terrorism and overestimate the likelihood of large-scale cyber-attacks. Take, for example, one of Lake's nightmare scenarios, borrowed from James Adams' book "The Next World War":
"A cyber-terrorist will remotely access the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation enjoying their food."
According to a standard medical text, a lethal dose of iron for a child is between five and 10 grams. However, given that cereal generally has less than one-half milligram of iron per serving, one serving of cereal would need to contain 10,000 to 20,000 times the normal amount of iron to kill the child eating it, an amount that would render the cereal inedible. But it's hard to imagine the cereal would ever even reach the breakfast table: Manufacturers routinely test their products before shipping them to stores and, even prior to that, would notice an increase in iron consumption.
While Lake and other alarmists fret over highly unlikely scenarios such as that, they gloss over far more feasible and more likely attacks.
We've seen the damage that ILOVEYOU-type viruses can do; they're difficult to guard against and can have a significant economic impact. But those viruses could be manipulated into far more damaging strains. Information theft -- from credit card information to government secrets -- continues to be a real threat. Small-scale attacks on critical infrastructure, say, temporarily overwhelming a 911 system, could be especially dangerous when combined with a physical strike, like a subway bombing. Lake lumps threats like these in with major attacks on infrastructure, making little distinction between likely, smaller-scale threats and full-scale cyber-attacks.
Lake, Rice and Clarke have good reason to warn us of the danger of cyber-attacks: There are people with the skills to cause real problems and we don't have the experience to know how likely some of the devastating attacks might be. But before our current spate of minor-grade cyber-attacks graduates into serious threats, we should be more realistic about what the damage is likely to be and from where we can expect it to come. As Cilluffo points out, we have a window of time to prepare for the threat. Let's at least understand the threat, before it's too late.