Cyberterrorism hyped, overblown, industry guru says

MYRTLE BEACH, S.C.?Cyberterrorism is a myth and a tool being used by security professionals to ensure they get part of the post-Sept. 11 funding stream?that's the argument offered by Marcus Ranum today at the Techno Security 2005 conference.

Much of the spending on cybersecurity today is in response to legislation such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, but "none of them say, 'Spend a ton of money,'" Ranum said. "What they say is, 'Thou should have been doing these things for years; get with it.'"

Ranum, the security chief for Tenable Security Inc., is widely credited as the inventor of the proxy firewall and implementer of the first commercial firewall product.

There are several myths about cyberterrorism, Ranum said. Among them:

A cyberterrorist attack serves as a force multiplier, adding synergy to more conventional attacks. "Most examples are a nuisance on top of a disaster," he said. For instance, if a terrorist attack took out a nuclear reactor, and simultaneously the attackers took out communications between law-enforcement agencies, the crisis is the nuclear reactor.

If anything, it is the existence of mass communications that serves as the force multiplier. During the Sept. 11 attacks, most Americans watched the events on television. "The fact that everyone was glued to CNN was the force multiplier," Ranum said.

A cyberattack could lead to economic collapse. "Pundits make a huge leap from messing with the electronic infrastructure to you'll lose your mind and die," he said. South Korea, for instance, lost much of its automated teller network to the Sequel attack a couple of years ago, but the country's still there, he added.

Cyberterrorism is a cost-effective, inexpensive way for less-wealthy countries to take on the more powerful. This might be effective in the short term, according to Ranum, but it is self-defeating because it invites "disproportionate retaliation"?something the Taliban learned in Afghanistan.

Even al-Qaeda "is annoying to nation-states, it's making them spend more money, but it's not a real threat," he said. "They're living in caves."

The logistics for a cyberterrorist attack are easy. Ranum contends that a cyberweapon has to be tailored for a very specific target because of problems such as version incompatibility, and that different target organizations have different security policies, different tools and so on.

He said it would take an investment of about $20 million a year in a cyberweapons research laboratory to devise such weapons. "You could find a disaffected employee" for $1 million, he said, and get them to carry a more conventional device into an office.

Cyberterrorist attacks are difficult to trace. An attack has to provide some benefit to the person or organization that launches it. That loops back to the possibility of disproportionate retaliation.

Given these arguments against cyberterrorism, Ranum said the industry has to "find a selling strategy not based on fear, uncertainty and doubt."

Patience Wait is a staff writer for Washington Technology's sister publication, Government Computer News.