X

Cyberterror and professional paranoiacs

The U.S. war on Iraq has begun--now wait for the hype about "cyberwar" and "cyberterrorism" to follow. CNET News.com's Washington Watcher Declan McCullagh says Homeland Security Secretary Tom Ridge has already gotten the ball rolling.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
WASHINGTON--The U.S. war on Iraq has begun.

Now wait for the hype about "cyberwar" and "cyberterrorism" to follow.

The first onslaught came this week when Homeland Security Secretary Tom Ridge said he was ratcheting up to an Orange Alert to coincide with the U.S. invasion. Ridge said his department would "monitor the Internet for signs of a potential terrorist attack, cyberterrorism, hacking, and state-sponsored information warfare."

Then, during an appearance on Thursday to ask a House panel for a fatter 2004 budget, Ridge claimed that cyberterrorists were just as dangerous as physical ones.

"We will not distinguish between physical and cyber in this new unit," Ridge said. "We will pay as much attention to the Internet as we do physical."

What is this guy thinking?

Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the Pentagon.

Wily-fingered hackers had nothing to do with it.

Until recently, Ridge has seemed basically levelheaded about the real dangers of cyberterrorism. Someone who's close to Ridge told me that the secretary simply doesn't care that much about the topic, which would explain his silence.

But now that agency budgets are up for review, Ridge seems to be treading the same alarmist path as did his former cybersecurity deputy, Richard Clarke, who quit in January.

Clarke was a professional paranoiac, a modern-day Chicken Little blinkered by a career spent in the cloistered intelligence community. It didn't help that Clarke's résumé featured such harrowing tasks as planning for the "continuity of government" after a nuclear strike on Washington--a job where no precaution is too extreme. Soon after President Clinton appointed him to a "national coordinator" post in 1998, Clarke became infamous for darkling warnings about the specter of a "digital Pearl Harbor" that would snarl computers and roil the world's economy.

Last I checked, it was physical terrorists who suicide-bombed the World Trade Center. Wily-fingered hackers had nothing to do with it.
To understand this bureaucratic mindset, consider that--while at the U.S. State Department in the mid-1980s--Clarke concocted a zany plan to incite a coup against Moammar Gadhafi to punish the Libyan strongman for embracing terrorism. Clarke's suggestion: SR-71 spy planes would buzz Libya, creating sonic booms that would appear to herald an invasion, thus unnerving Gadhafi. Meanwhile, the U.S. Navy would fake hostilities off the coast and the State Department would encourage "speculation about likely Gadhafi successors," according to a memo coauthored by Clarke. After news of the plan leaked, an embarrassed Reagan White House unceremoniously ditched it. The New York Times' William Safire dubbed the scheme "stupid and venal."

Clarke's penchant for the dramatic, which I witnessed firsthand when I spent an hour interviewing him in December 2001, extended to a farewell statement he circulated in January. It warned of the dangers of the SQL Slammer worm, which infected servers running Microsoft software.

In that statement, Clarke claimed that Slammer "disabled some root servers, the heart of Internet traffic." Not true. A report from the RIPE Network Coordination Center--one of the Internet's four regional registries--said that at most the worm slowed connectivity to two of the 13 root servers and did not disable any of them. "This did not cause any degradation in (domain name system) service," RIPE concluded.

Clarke also claimed that "a national election/referendum in Canada was canceled" due to computer mischief. At best, that was a reckless exaggeration. What actually happened is that Canada's New Democratic Party held a leadership convention and found their Internet voting to be sluggish. CBC reported that voting was completed just 45 minutes behind schedule.

It's not just Clarke and Ridge. Exaggeration is easy when you're a bureaucrat hoping to make yourself seem more important and thereby


Special report
E-terrorism
Have digital myths diverted
attention from true threats?


fatten your paycheck at your next job, or when your funding is up for review, or when you want to lobby for new and probably unwise laws that would endanger privacy or impose additional costs on technology firms (one of Clarke's pet ideas).

It's important to remember that, as CNET News.com reported in detail last year, it's always easier to bomb a target than hack a computer. Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome noncomputerized fail-safe measures.

Put another way, I've never heard of one death that could be attributed to "cyberterrorism." Not being able to check your e-mail for a day is an annoyance, not terrorism, as Counterpane's Bruce Schneier said last week.

On Thursday evening, President Bush said he would nominate Frank Libutti to be Ridge's undersecretary for "Information Analysis and Infrastructure Protection," a position that will have key Internet responsibilities. Libutti currently is deputy commissioner for counterterrorism at the New York City Police Department, and is also a retired lieutenant general in the U.S. Marine Corps.

The Internet community should work with Libutti to put the threat of cyberterrorism in perspective. We don't need any more government officials clamoring for intrusive new laws and claiming, against all common sense, that a "digital Pearl Harbor" is just around the corner.