Survival Guide: Perspectives from the field

By

<FONT SIZE=2>The dangers of cyberattacks often sound nightmarish: A hacker takes over a major government or industry computer system and wreaks havoc. National security is compromised, the economy is crippled, and the American way of life is endangered.</FONT>

James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies

Henrik G. de Gyor

The dangers of cyberattacks often sound nightmarish: A hacker takes over a major government or industry computer system and wreaks havoc. National security is compromised, the economy is crippled, and the American way of life is endangered.

But these scenarios attribute much more power to cyberterrorists than they actually have, according to James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies.

Lewis, author of "Assessing Cyber Terrorism, Cyber War and Other Cyber Threats," a paper published in December for the Washington-based think tank, said that one-time attacks on critical infrastructures rarely cause significant damage or disruption. Citing bombing attacks on Germany during World War II, Lewis said the most effective damage was done through repeated attacks over a long period of time. In contrast, most cyberattacks today are one-time events or launches of viruses that, while bothersome, cause no significant damage to infrastructure.

Lewis spoke with Senior Editor Nick Wakeman about how doomsday cyberscenarios miss the mark and where the real threats lie.

WT: Why is the concern about cyberattacks on critical infrastructure overblown?

Lewis: These cyberthings tend to be a bit like a Godzilla movie. You have this big thing that goes around and stomps on Tokyo. In the real world, that doesn't happen. It is really hard to bring a country to its knees. When people are attacked, they usually respond; they don't sit there and wring their hands. So even if an attacker was able to do something, it is not like we are paralyzed.

The whole experience with other kinds of attacks is that you need to do a lot of them over a long period of time to bring a country to its knees.


WT: Why is it so hard to bring a country to its knees?

Lewis: First, there are a lot of redundant systems. But also, it is the ability of people to respond and to repair. If something breaks down, people ask: How can we fix it? How can we work around this problem?

During World War II, the British blew up a dam in Germany, which is far more damaging than anything a cyberattack can do. The Germans got everything back online. People are used to things breaking, and they repair them.

In the United States, it is very difficult to think of any point of vulnerability that we wouldn't immediately take some counter measures for. That tends to get left out of these scenarios.

Look at electrical companies, which are a very popular target for hackers. These companies have been practicing since 1965 on how to respond quickly to blackouts and get things up and running because of the embarrassment they felt when New York City was blacked out for a day. And again, it wasn't like national security was damaged by being able to black out the entire city. The nation did not grind to a halt.


WT: Realistically, then, what role can a cyberattack play in an attack on critical infrastructures?

Lewis: The only way a cyberattack would be a threat is if someone were smart enough to do it at the same time as a physical attack, because then it would multiply the affects of the physical attack.

What we are talking about is information and communication. If you used it to put out false information or block communication channels, then it would multiply the affect of a physical attack. If you were a terrorist, you'd want to look at how can you use this to reinforce a physical attack.


WT: What, then, do we need to be concerned about?

Lewis: The threats that are underemphasized are crime and espionage. You can obtain reams of information on infrastructure, on physical locations. You can do a good job coming up with a target package for an attack by using the Internet.

There is risk of people hacking into systems and reading things they shouldn't be able to read. So far, the government has done a pretty good job of keeping classified material off networks that are accessible from the Internet. But they haven't done as good a job of keeping off what they call sensitive information. You need to keep reminding people not to post documents that say "sensitive" or "for official use only." At the lower levels, you can probably find a lot of that stuff.

The other issue is penetrating into networks and being able to sit there and collect information, not just stuff posted on the Web, but the ability to hack into a network and get information there.

Those are real threats. *

NEXT STORY: Perot Systems to acquire Soza