Potential for Cyber-terrorism May Be Just High-Tech Hype by Sean OíDriscoll Last month, the free e-mail security system MailScanner started running a complex new system to protect users from cyber-terrorism. Technology experts took noteóMailScanner is a huge player in the e-mail world, processing more than 500 million e-mails every day, removing 2 million viruses, and identifying 75 million spam messages. The fact that it is now stepping up defenses against cyber-terrorists was a litmus test for the industryís grave fears about possible cyber-attacks. Last month also saw the arrival of the new Department of Homeland Security, with President Bush referring to cyber-terrorism as one of the threats that the department will have to root out. At the end of February, Homeland Security Secretary Tom Ridge addressed the nationís utilities commissioners, telling them that the nationís power plants are still vulnerable to cyber-terrorism. ìYou do damage potentially to the grid, and you have affected how a community can operate,î Ridge said, before warning that an attack could have ìfar-reaching conseq uencesî for an entire region of the United States. The alarm in the U.S. government did not start, however, with the Sept. 11 terrorist attacks or even with the Bush administration. In 1998, it was revealed that the Pentagon was already preparing defenses against enemy programmers who might use the Internet to shut down hydroelectric generators and paralyze corporations and the armed forces. Now, all across the country, technology companies are making billions of dollars upgrading computer technology and holding seminars on this new threat to the U.S. way of life. They cite alarming figures: According to federal statistics, 70 percent of the nationís power plants, including nuclear plants, reported being hacked into during the past year. ìAny 13-year-old with an Internet connection and a little spare time can be a hacker,î cyber-terrorism expert Paul Henry of CyberGuard in Florida said. ìWhy wouldnít an al Qaeda operative take that same opportunity?î But an obvious question arises: If 70 percent of the nationís power plants have been hacked, why then have there been no life-threatening attacks by terrorists? And why, for that matter, have none of the diplomatic missions in Washington ever faced a serious cyber-attack? A large number of experts who do not make a living from cyber-terrorism say the hype is similar to that surrounding the ìmillennium bugîówhich many say was a scare tactic used by technology companies to get governments and corporations to consume expense products before the new millennium. They also claim the governmentís desire to show it is being tough on terrorism has led it to ignore a very obvious point: Terrorists have next to zero possibility of inflicting terror on the American public through computer networks. Technology expert and cyber-terrorism cynic Jack Kapica cites the often-used phrase ìThe first casualty of war is truthî when referring to what he sees as the vastly overplayed threat of attacks on U.S. technology. For Kapica, the exaggeration of the cyber-terrorist threat can be seen in the National Strategy to Secure Cyberspace, a list of policies issued by the Department of Homeland Security that he says are not backed by legislation because the government knows the threat is remote. According to the Internet Security Threat Report released late last year by U.S. security specialist Symantec Inc., the number of hacker attacks on corporations has decreased in the last six months by 6 percent and the threat of a serious assault on U.S. computer networks remains low. This is bad news for technology security companies such as mi2g, which hastily disputed the figures and claimed that in the same six months, there was a 229 percent increase in digital attacks worldwide, releasing figures showing where the attacks were taking place. These figures showed, for instance, that Brazil came in second and Italy came in fifth in the number of attacks. Kapica said this is an indication that cyber-attacks have little to do with the Iraqi crisis or the turmoil in the Middle East and is further proof that most cyber-attacks have more to do with curious hackers and disgruntled employees than with vast terrorist conspiracies. Such a view appeared to be reinforced by law enforcement agents attending a recent cyber-crime convention in Connecticut, who concurred that the threat of cyber-terrorism is much lower than day-to-day computer crimes, such as identity theft and child exploitation. However, according to James Doyle, president of Internet Crimes, a technology training company that hosted the conference, the threat will only become real for many people after it has actually happened. ìPeople say that the cyber-terrorism threat isnít real, but three years ago, who imagined that the World Trade Center would be brought down by hijacked airplanes?î Rich Pethia, manager of the Networked Systems Survivability Program at Carnegie Mellon University in Pittsburgh, echoes his view. ìItís only a matter of time before something like cyber-terrorism happens. But people only pay attention when thereís a big event, so itís hard to get them to see the risks,î Pethia said. However, other security experts in the field say that by definition, terrorism implies terror, an emotion that is not likely to be present if an embassyís e-mail is shut down for a day by hackers. ìCyber-terrorism is largely overblown,î said Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc. in California. ìDropping [automatic teller machine] networks and shutting down e-mail is not terrorism. If I canít get to my e-mail for a day, I am not terrorized. We are many years away from somebody being able to launch large-scale electronic attacks that have the effects of a bomb,î he said. Rainer Fahs, an information security expert with NATO, an organization that was previously the target of Serbian hackers and that should have a thing or two to worry about when it comes to cyber-terrorism, also expressed an optimistic view. ìTerrorists will use the Internet to communicate, which is different from an attack,î he said. ìWe do not see a terrorist attack on the Internet happening.î According to Brendan Koerner, a fellow at the New America Foundation, the U.S. government is falling over itself to show that it is willing to take on the cyber-terrorists, even when that means a Don Quixote-like charge at the high-tech windmills. He cites the new Homeland Security strategy on cyber-terrorism, which warns, ìComputer faults in software and hardware that could permit unauthorized network access Ö increased significantly from 2000 to 2002, with the number of vulnerabilities going from 1,090 to 4,129.î According to Koerner, the accepted bug rate for software is between five and 15 errors per 1,000 lines of code, which means a typical Windows operating system has close to 300,000 potential ìvulnerabilities.î He said the tech security companies, which rush to have experts available to the media whenever there is a scare, are feeding the government hype. He also cites examples of technology companies allegedly planting media hoaxes to frighten the public into buying more security software. Much more serious, Koerner said, is the offline threat of terrorist infiltration. ìMany hackers speak of a group called the Masters of Downloading, whose claims of taking control of NASA satellites have been discredited, while a man posing as a CIA agent was able to tour NASA buildings for months with a false ID,î he said. Others claim the hunt for cyber-terrorists has led the government to prey on relatively harmless hackers. Americaís largest group of defense lawyers has published a position paper arguing that people convicted of computer-related crimes tend to get tougher sentences than comparable non-high-tech offenses. The paper, signed by the National Association of Criminal Defense Lawyers (NACDL) and others, criticized sentences for computer crimes because they rely on damage figures that can easily be inflated. ìThe serious nature of offenses is overplayed,î said Jennifer S. Granick, author of the paper and director of the Stanford Law School Center for Internet and Society. ìThe majority of the offenses are generally disgruntled employees getting back at the employer or trying to make money.î The NACDL reviewed 55 cases highlighted by the U.S. Department of Justice, in which only 15 involved harm to the public and only one involved a threat to safety. The paper added that such cases should be treated as white-collar fraud, not terrorism. < br> Those convicted ìare receiving sentences based on the fear of the worst-case scenario rather than what the case may really be about,î Granick said. ìThe threat to the American way of life might not come from cyber-terrorists, it just might come from the erosion of civil liberties enjoyed by us all.î Sean OíDriscoll is a contributing writer for The Washington Diplomat.