Re: [iwar] Figuring out the "quantity" of import that IWAR implies?

From: Fred Cohen (
Date: 2001-06-26 19:41:29

Return-Path: <>
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 26 Jun 2001 19:42:07 -0700 (PDT)
Received: (qmail 23082 invoked by uid 510); 27 Jun 2001 01:43:33 -0000
Received: from (HELO ( by with SMTP; 27 Jun 2001 01:43:33 -0000
Received: from [] by with NNFMP; 27 Jun 2001 02:41:31 -0000
Received: (EGP: mail-7_1_3); 27 Jun 2001 02:41:30 -0000
Received: (qmail 78498 invoked from network); 27 Jun 2001 02:41:29 -0000
Received: from unknown ( by with QMQP; 27 Jun 2001 02:41:29 -0000
Received: from unknown (HELO ( by mta3 with SMTP; 27 Jun 2001 02:41:29 -0000
Received: (from fc@localhost) by (8.9.3/8.7.3) id TAA11135 for; Tue, 26 Jun 2001 19:41:29 -0700
Message-Id: <>
In-Reply-To: <> from "Tony Bartoletti" at Jun 26, 2001 03:35:27 PM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <>
Mailing-List: list; contact
Delivered-To: mailing list
Precedence: bulk
List-Unsubscribe: <>
Date: Tue, 26 Jun 2001 19:41:29 -0700 (PDT)
Subject: Re: [iwar] Figuring out the "quantity" of import that IWAR implies?
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by Tony Bartoletti:

> True.  But IWAR and "Cyberwar" differ a bit, in that the latter is focused 
> more upon that which is enabled, and perhaps directly executable, by means 
> of the internet or related cyber infrastructure.  I surmise c.b.r had the 
> latter more in mind.

Glad you brought it up...  The media is largely now moving into the
cyber arena, and many organizations use cyber communicaitons.  But I
guess you are really talking about computers as a target rather than as
a medum - indeed a small part of information warfare.

> The eventual power of cyberweapons will be directly proportional to the 
> degree to which we "enable" pervasive cyber control of critical 
> processes.  If we allow legitimate operators to issue "emergency" 
> directives, electronically, to elements such as power transmission, 
> air/rail traffic scheduling, remote refinery operations, (emergency 
> broadcast systems!) etc., then one can see room for havoc.

Here here...

> What worries me is that the "safeguards" we put in place in the hopes of 
> securing these kinds of communications are typically the type that 
> successfully thwart the casual hacker and "noisy children", yet (perhaps) 
> not the well-funded, expert, dedicated operations that will quietly subvert 
> control systems, but bide their time to exercise some form of coordinated 
> exploit.

Here here...

> There is talk about cyberwar preparation being little more that a "cash 
> cow" for the DoD, and it rings true in the short-term.  To many folk, it 
> probably conjures up images of billion dollar anti web-defacement measures. 
> But one must raise the alarms early, yell "the sky is falling", for 
> cyber-realized infrastructure control will not be a passing fad.

I personally favor a more accuracy-based approach.  I think you need to
tell it like it is - no hype - just facts.  The sky is not falling - but
this is not about the sky - it is about information systems, our
dependency on them, and the extent to which they lack information

Threats, vulnerabilities, consequences, mitigation, and risk management. 
Those are the issues.  Today:

	- the threats are more severe than in the past,
	- the vulnerabilities more common and exploitable than in the past,
	- the consequences higher than in the past, and
	- mitigation is less adequate to the need than in the past.

As a result the risks are higher.

In addition, because of the movement toward privitization and
competition in the market for critical services, the risk management
decisions of infrastructure providers is increasingly forced to deal
only with business risks and to ignore risks that are not competitive in
nature.  Thus, national risks, force majur, and other issues are
necessarily left to government, and government, at least in the United
States, is abrigating its responsibility for 'the common defense' under
the misguided impression that economics will, in the long run, result in
the most efficient solution.  Unfortunately, in information protection,
this has always failed and will likely always continue to fail for these
sorts of risks because protecting the nation is never as profitable for
the company as protecting against competitive threats only.  Compettion
alone will not serve the common good.

The sky is not falling, the government is failing to provide for the
common defense to an adequate level.  Unless this is changed, survival
of the fittest will be the inevitable result - as in all pure economic
systems - and the fittest may not be freedom and democracy - at least
if government abrigates its responsibility.

Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
  Fred Cohen & Associates: - - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to serve.
	PGP keys: - Have a great day!!!


Your use of Yahoo! Groups is subject to 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:19 PDT