Truth About Computer Security Hysteria
Halloween stories about computer nerds
Thursday, 12 November 1998
In "Critical Infrastructure: Interlinked and Vulnerable" [Fall 1998], Dr. C. Paul Robinson, et al. showed how proponents often debate "for" national infrastructure protection. In "An Electronic Pearl Harbor? Not Likely" [Fall 1998], Dr. George C. Smith showed how skeptics often debate "against" such protection. Because IS&T printed these articles side-by-side, the casual reader might treat it as a dispute over whether to protect the national infrastructures at all. In reality, Robinson played up a minor "cyber threat" to help justify more protection while Smith focused on the chronic overemphasis of cyber threats.
Robinson described spectacular infrastructure failures — one caused by an earthquake, another sparked by a sagging power line — and postulated a terrorist could trigger similar failures via a remote computer. He cited then-CIA director John Deutch, who in 1997 told Congress "information warfare" ranked second only to terrorists wielding nuclear, biological, or chemical weapons. Therefore, Robinson concluded we must go to extraordinary lengths to protect national infrastructures from both physical and cyber threats.
Smith asserted the insane complexity of national infrastructures prevents terrorists from triggering spectacular failures via remote computer. Those who claim otherwise rely on exaggeration and fear, not evidence, to bolster their cries of alarm. Smith led us to ask obvious questions: If terrorists possess deadly cyber weapons as claimed, why don't they use them? Why don't newspapers cover cyber terrorism comparable to the Tokyo nerve gas attack or Oklahoma City bombing? Smith concluded we don't need to go to extraordinary lengths just to protect national infrastructures from electronic bogeymen.
In the final analysis, Dr. Robinson showed we must do more to protect national infrastructures from acts of nature and design errors (e.g., earthquakes and the "Y2K" problem). We also must protect national infrastructures from genuine terrorist threats. More protection will require more resources — but as Dr. Smith explained, we shouldn't try to scare the money out of people with Halloween stories about computer nerds.