- The Washington Times - Thursday, December 26, 2002

Much has been made, including money by the sale of books, of the supposed vulnerability of the United States to cyber-terrorism. The idea is that various bad guys could hack into the national infrastructure, meaning things like the electric grid, water supplies and air traffic control, to "bring the country to its knees."
Such a threat is overblown, says James Lewis, of the Center for Strategic and International Studies, in a paper published this month.
Mr. Lewis makes a distinction between computer networks in general and critical infrastructure. He says, "a brief review suggests that while many computer networks remain very vulnerable to attack, few critical infrastructures are equally vulnerable." To bring the country down even briefly, terrorists would have to do serious damage to critical systems, not just make nuisances of themselves.
Mr. Lewis makes several points. One is that there is a difference between being a pest and causing strategically serious damage. Bollixing up administrative systems, for example, would have no strategic importance. Nor would it terrify anyone.
Second, the American infrastructure is much more robust than terror mongers would have us think. Failure and disruption are already a routine fact of infrastructural life and cause no more than inconvenience.
For example, storms drop trees on power lines, causing widespread loss of power for a few hours. It's irritating but strategically insignificant. Water mains break, a new computer worm causes trouble, a radar fails in an air-traffic control center. The system, says Mr. Lewis, is designed to work around and repair these disruptions.
Years back, having been told how vulnerable to hackers the air-traffic control system was, I called an airport to ask. The response was, first, that the actual direction of traffic isn't on the Internet and second, that if hackers somehow disabled the electric grid, the airport would use its back-up generators.
Well, how vulnerable is the electric grid?
Says Mr. Lewis: "Many analyses have cyberterrorists shutting down the electrical power system. One of the better cyber-security surveys found that power companies are a primary target for cyber-attacks, and that 70 percent of these companies had suffered a severe attack in the first six months of 2002," Yet, he says, none has caused an outage.
A point Mr. Lewis doesn't explicitly make: The underlying assumption in most of the cyber-doom predictions is that everyone but is stupid. Oddly enough, the people in charge of important infrastructure have thought of the obvious. The electrical engineers who run power networks have heard of computers. They have thought about these problems.
Suppose computer terrorists wanted to disrupt the water supply, which has been suggested as a danger. Mr. Lewis notes that the United States has 54,064 different water-supply systems. That's a lot of targets to attack. Some are more important than others: Of the total, he says, 353 serve 40 percent of the population. Brief disruptions of water supplies do not threaten the national security.
Is the military at risk? Mr. Lewis says, " while there were many attacks against U.S. military computer networks during operations in Kosovo, these attacks did not result in sorties being canceled or in a single casualty."
An assumption I have noticed in disaster scenarios is that if a terrorist can disrupt a network's computers, the network is destroyed. Actually, computers fail frequently, whereupon the engineers reload from backups and life goes on.
His conclusion: "The sky is not falling, and cyber-weapons seem to be of limited value in attacking national power or intimidating citizens."

LOAD COMMENTS ()

 

Click to Read More

Click to Hide