Roger's Information Security Blog

I saw this article linked from the drudgereport.
US Video Shows Simulated Hacker Attack

A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.

Apparently the US Government has obtained a copy of the latest Die Hard movie.

“They’ve taken a theoretical attack and they’ve shown in a very demonstrable way the impact you can have using cyber means and cyber techniques against this type of infrastructure,” said Amit Yoran, former U.S. cybersecurity chief for the Bush administration. Yoran is chief executive for NetWitness Corp., which sells sophisticated network monitoring software.
“It’s so graphic,” Yoran said. “Talking about bits and bytes doesn’t have the same impact as seeing something catch fire.”

So this is like the Day After Tomorrow, Super Volcano or the disaster movie of the week on SciFi. All that talk of a digital pearl harbor just wasn’t getting enough attention or money, so now they are creating videos about what could happen.
Even after Y2K, its quite popular to Speculate Creatively About Dastardly Attacks.

This is a real article in ZDNet Australia. The Australian Army expects suicide hacker attacks.
Now, I’m just rolling on the floor laughing as I read this article. To me, the key part of a suicide attack is when the attacker kills himself as part of the attack. To Colonel Paul Straughair, a suicide attack would be someone willing to go to prison for 30 years for their cause.
Its a slippery slop when you take real warfare terms and apply them to computers. The label cyberterrorism has been applied to the garden variety Internet worm. As Rob Rosenberger has pointed out, there is no where to go when the next event is worse. Are you going to call a major event cyber-genocide? For years people like Richard Clark has predicted a “digital Pearl Harbor”. To me these labels are irresponsible. Comparisons with genocide or Pearl Harbor are inappropriate until thousands of people are killed in a hack attack.
A suicide hack attack would include the death of the attacker, not their loss of freedom, not the deletion of their user account.

Telephone and Internet service to 100k NewZealand customers was knocked offline on Monday and the KiWi stock market had to close early. All because some ditch diggers took out one service pipeline and some rats took out the other.
There is no word on whether or not Richard Clarke has called this a Digital Pearl Harbor.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather not the fact that we have made our position unassailable”
–The Art of War, Sun Tzu
This quote was at the beginning of Chapter 1 of Cryptography and Network Security by William Stallings. Its an interesting statement to meditate on in the context of computer security. Can a networked computer ever be made unassailable. I would think it is a safe statement to say no.
When I first read the quote, I was afraid this was more fodder for those who warn of a Digital Pearl Harbor. I thought of the U.S.S.R. spending itself into oblivion over fear of the United States. But we dont need to spend ourselves into oblivion in the name of I.T. security. Rather, we need to put up reasonable defenses, and then continue to be vigilant about the sufficiency of those defenses moving into the future.