Return-Path: <sentto-279987-1377-993609690-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 26 Jun 2001 19:42:07 -0700 (PDT) Received: (qmail 23082 invoked by uid 510); 27 Jun 2001 01:43:33 -0000 Received: from n1.groups.yahoo.com (HELO hh.egroups.com) (216.115.96.51) by 204.181.12.215 with SMTP; 27 Jun 2001 01:43:33 -0000 X-eGroups-Return: sentto-279987-1377-993609690-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by hh.egroups.com with NNFMP; 27 Jun 2001 02:41:31 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_1_3); 27 Jun 2001 02:41:30 -0000 Received: (qmail 78498 invoked from network); 27 Jun 2001 02:41:29 -0000 Received: from unknown (10.1.10.142) by l9.egroups.com with QMQP; 27 Jun 2001 02:41:29 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 27 Jun 2001 02:41:29 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id TAA11135 for iwar@yahoogroups.com; Tue, 26 Jun 2001 19:41:29 -0700 Message-Id: <200106270241.TAA11135@big.all.net> To: iwar@yahoogroups.com In-Reply-To: <4.3.2.7.2.20010626151100.00af4220@poptop.llnl.gov> from "Tony Bartoletti" at Jun 26, 2001 03:35:27 PM Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 26 Jun 2001 19:41:29 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] Figuring out the "quantity" of import that IWAR implies? Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Per the message sent by Tony Bartoletti: ... > True. But IWAR and "Cyberwar" differ a bit, in that the latter is focused > more upon that which is enabled, and perhaps directly executable, by means > of the internet or related cyber infrastructure. I surmise c.b.r had the > latter more in mind. Glad you brought it up... The media is largely now moving into the cyber arena, and many organizations use cyber communicaitons. But I guess you are really talking about computers as a target rather than as a medum - indeed a small part of information warfare. ... > The eventual power of cyberweapons will be directly proportional to the > degree to which we "enable" pervasive cyber control of critical > processes. If we allow legitimate operators to issue "emergency" > directives, electronically, to elements such as power transmission, > air/rail traffic scheduling, remote refinery operations, (emergency > broadcast systems!) etc., then one can see room for havoc. Here here... > What worries me is that the "safeguards" we put in place in the hopes of > securing these kinds of communications are typically the type that > successfully thwart the casual hacker and "noisy children", yet (perhaps) > not the well-funded, expert, dedicated operations that will quietly subvert > control systems, but bide their time to exercise some form of coordinated > exploit. Here here... > There is talk about cyberwar preparation being little more that a "cash > cow" for the DoD, and it rings true in the short-term. To many folk, it > probably conjures up images of billion dollar anti web-defacement measures. > But one must raise the alarms early, yell "the sky is falling", for > cyber-realized infrastructure control will not be a passing fad. I personally favor a more accuracy-based approach. I think you need to tell it like it is - no hype - just facts. The sky is not falling - but this is not about the sky - it is about information systems, our dependency on them, and the extent to which they lack information assurance. Threats, vulnerabilities, consequences, mitigation, and risk management. Those are the issues. Today: - the threats are more severe than in the past, - the vulnerabilities more common and exploitable than in the past, - the consequences higher than in the past, and - mitigation is less adequate to the need than in the past. As a result the risks are higher. In addition, because of the movement toward privitization and competition in the market for critical services, the risk management decisions of infrastructure providers is increasingly forced to deal only with business risks and to ignore risks that are not competitive in nature. Thus, national risks, force majur, and other issues are necessarily left to government, and government, at least in the United States, is abrigating its responsibility for 'the common defense' under the misguided impression that economics will, in the long run, result in the most efficient solution. Unfortunately, in information protection, this has always failed and will likely always continue to fail for these sorts of risks because protecting the nation is never as profitable for the company as protecting against competitive threats only. Compettion alone will not serve the common good. The sky is not falling, the government is failing to provide for the common defense to an adequate level. Unless this is changed, survival of the fittest will be the inevitable result - as in all pure economic systems - and the fittest may not be freedom and democracy - at least if government abrigates its responsibility. FC -- Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven This communication is confidential to the parties it is intended to serve. PGP keys: https://all.net/pgpkeys.html - Have a great day!!! ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:19 PDT