[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
In reference to the following view expressed by Ross Stapleton-Gray:
>
> From: Ross Stapleton-Gray amicus@w...
>
> At 09:17 PM 10/16/1999 -0700, Fred Cohen wrote:
> >I think that the bombing of information infrastructures with the goal of
> >inducing fear in the general public would constitute cyber-terrorism.
> >
> >In general, I would count anything as cyber-terrorism if it was intended
> >to induce fear in the citizenry and was directed at or through some set
> >of information systems.
>
> So, is it rail-terrorism if they blow up the Chessie System? Is it
> cyber-terrorism, or rail-terrorism (or petro-terrorism) if they blow up the
> switching center computer that results in Chessie rail cars unable to get
> the fuel tanker cars to the refinery?
Neither. It is not terrorism unless the goal is inducing fear. These
actions seem to me to be more along the lines of guerilla warfare.
> A question to prepend to yours: what, exactly, terrifies? TWA 800 produced
> several hundred deaths; DC's on track to produce more deaths this year from
> drug-related violence. Unbiased observers would be far less terrified by
> air crashes (among the safest mode of travel) than heart disease. Scratch
Fear is indeed an interesting phenomena, and it is not logical based on
probabilities but rather, it is largely based on perception and focus.
Fear is therefore closely tied to the media in the US. For example, I
would call the actions of the anti-nuclear power activists in the US in
the 1970s and 1980s verging on terrorism, except that they did not
become very active in creating the scenarios they asserted. It was
cyber-terrorism because it was entirely informational in nature.
Exaggerating the real risk out of all proportion in order to attain a
political goal.
> the "what is terror?" question, and you start scraping up a variety of
> agendas; NB that TWA 800, which turned out to be an apparent mechanical
> failure, produced a couple of pieces of rather civil-liberty-repressive
> legislation, tightening surveillance of citizens.
Right - we terrorized ourselves. We were so afraid of what might happen
that we invented the enemy and invoked them as the cause of out
troubles. We started blaming the 'usual suspects' to carry out foreign
and domestic policies designed to further limit freedom. Sounds a bit
like pre-WW2 Germany, doesn't it...
> I think the more interesting futures for "cyber-terrorism" would revolve
> around the potential to induce widespread panic, or disruptive political
> change, as a consequence of a loss of trust in fundamental, IT-dependent
> systems. If, for example, all credit card clearing functions were first
> corrupted (so everyone's accounts were recorded as off, by a few, or a few
> thousand, bucks) and then disrupted (so there was no clear understanding as
> to when and how commerce might be possible), well then, maybe.
Right - one of the keys of inducing fear is the demonstration that
control rests in the attacker rather than the victim. Strip the
illusion of control and safety away...
> What happens January 1 should be somewhat instructive, especially re how
> affected communities respond socially, and to whom or what they look for
> reassurance (and whom all they sue once it's over... I suspect that one
> could do a great business just coaching attorneys how to recast themselves
> as Y2K-consequence litigators).
Y2K has its fear mongers also. But terrorism is generally not effective
if the enemy is errors and omissions. The US government is, and I think
rightly to some extent, starting to indicate that not all Y2K patches
are sincere, but if it turns into fear-mongering against Pakistan, it is
probably moving into the propaganda realm.
> As to why there's not more cyber-terrorism... probably mostly for the same
> reasons there's not more terrorism: most terrorists get caught, most
> governments would happily collaborate with others to jointly make the world
> more stable (do *we*, of the NYSE and NASDAQ, want to see political crisis
> in Beijing? heck no!), small groups can only wreak so much havoc, and large
> groups grow quickly vulnerable to compromise and infiltration.
>
> Ross
So you think there there are lots of terrorist attempts but that few
succeed. Terrorism is alive and well, but terror is not happening.
I think that physical and large-scale single incident terrorism is well
handled today from the perspective of the United States and most
European countries, but it is poorly handled in the third world and much
of the second world.
We live under a different sort of oppression, and one that, for now, is
far less severe. We are slowly losing our freedoms - giving them away
because we are afraid and giving them away because of the constant din
of the 'hacker/cracker' groups who think they are doing us good by
demonstrating every weakness they can exploit. Consider what would
happen to our freedoms to move about if every teenager who knew how to
drive a car decided it would be cool to show how vulnerable our society
was to things you can do with an automobile.
We have been driven slowly into a world where a recent hire of an
airport can feel through my clothing and personal effects as I enter and
in the computer world, I can be observed without my knowledge or consent
based on a rumor created by somebody who decides to victimize me.
There was a time when I was terrorized by the 500 sites that were
attacking my computer systems, and the threats coming over the wire, and
the late night calls to my home, and the various emails telling me they
could help me lose weight or get better sex, or the more personal ones
based on some unknown person's database holding intimate details of my
background based on something I did not understand. And I know of cases
where other individuals have felt increasing fear over the voyerism of
people who got into their PCs and read there most intimate secrets and
tried to exploit them. Fear and terror have become personalized in the
digital age.
But I fear no longer. I have developed a thick skin about such things.
Still, I bet that it would not be so hard to induce widespread fear
using the same databases we use for marketing. And with Halloween coming
up, maybe its the perfect time...
FC