Computer security officials discount chances of 'digital Pearl Harbor'
The notion that the cyberterrorism against the United States could create a "digital Pearl Harbor" is fading faster than the stock prices of dot-com startups did at the start of the decade, three computer-security experts agreed on Tuesday.
"The first time I saw the phrase 'digital Pearl Harbor' was 1995," Jim Lewis, a Clinton administration technology policy official now with the Center for Strategic and International Studies, said during a keynote panel discussion at an information security summit. "There have been more than 1,800 international terrorist attacks" since then.
"But you haven't seen the big headlines" about cyberterrorism during the comparable period, he added. "Just as you had had inflated stock valuations, you had inflated valuations of risk."
A top computer-security official at Carnegie Mellon's Software Engineering Institute (SEI) and a Gartner Group analyst also on the panel agreed with Lewis that disgruntled insiders, not foreign terrorists, pose the greatest cybersecurity threat to companies.
Companies should implement "best practices" of information management on their networks to guard against the theft of data and intellectual property by individuals who seek either to profit or to vandalize from security weaknesses, they said.
"Being a victim of cybercrime is like being a victim of sexually transmitted diseases in the 1940s," Gartner analyst Richard Hunter said. "It certainly happens to a lot of people, but you don't want anyone to know about it."
But Hunter said businesses need to share information about computer vulnerabilities, and he jokingly suggested that the time is right for public-service advertisement featuring white-coated doctors reassuring chief executives and top security officers that "the very best companies get cracked all the time."
"Do I accept [the notion of a] cyber Pearl Harbor? No, I don't," said Casey Dunlevy, senior member of the technical staff at SEI, which runs the oldest coordination center for computer emergencies. "But could [cyber terrorism] be a force multiplier in terrorist attacks" by, for example, disabling all traffic lights after a bombing? "I think we have to consider that."
In an interview after the discussion, Dunlevy said the al Qaeda terrorist group exhibited a curious mix of high-tech and low-tech tactics by, for example, creating compacts discs with instructions to operatives even as they distributed the discs by hand. He said he had examined computers recovered from Afghanistan demonstrating the terrorist group's use of steganography, a technique for embedding secret data within pictures or text.
"We will eventually see a cyber element to terrorist activity," Dunlevy said. But both he and Hunter said terrorist groups also are likely to continue to engage in money laundering and cybercrime as a means of purloining resources.
Companies must educate employees to be on guard against "social engineering," the practice of over-the-phone deception by skilled information thieves, Hunter said. The most successful ways for foreigners to steal U.S. secrets is to use such practices or to buy U.S. companies in possession of secrets, he said, adding that computer hacking constitutes only 6 percent of theft attempts.