This post is probably going to get me into trouble, but this stuff needs saying.
There’s been a sudden outburst of sanity today about this topic, so I feel obliged to throw in my 2¢.
A few weeks back I heard somebody say that we hadn’t yet seen a ‘digital 9/11’. I think what they meant here was some sort kind of event so catastrophic in its consequences that the world of IT security (I hate the term ‘cyber security’) would change forever. This got me thinking about impact and scale. The death toll on 9/11 was just short of 3000 people – the largest terrorist event ever, but a tiny proportion of the worldwide population. I would estimate that a far greater proportion of the worldwide computer population is falling victim to the various botnets and worms out there every single day. Those computers aren’t missed though, like the loved ones lost in 9/11. Malware can be removed. Systems can be rebuilt. Old machines can be consigned to the trash and new ones bought.
My take is that this isn’t really about scale. We see attacks every day that are large in scale, and this is what we live with as normal. So what about impact? This is where we head off into movie plot territory. Terrorists taking over nuclear plants, terrorists taking over safety critical systems in utilities, terrorists bringing down our financial systems. The movie plots work because we all know that these things have computers inside them, and we all know that those computers can go wrong. But that’s exactly the point – computers go wrong all the time. We’re used to that, and we work around that. Whether going wrong is caused by malice or incompetence really shouldn’t matter – we deal with so much incompetence so regularly that malice can in fact be treated as a special case of incompetence.
Will there be IT failures in the future – of course. Will some of these failures be caused deliberately (by people who we label as criminals, and a special subset that we label as terrorists) – yes. Will some of the failures cascade into high impact events – undoubtedly. Will this be the ‘digital 9/11’ that the chicken littles are screaming about (usually to get a big bag of money for some pet project) – I think not. Just as we shouldn’t be wasting resources on special anti terror schemes in the physical world (rather than just good old intelligence and response capabilities) the same is true in the online world. Be informed, and be ready to do something – whatever the cause.
Filed under: security | 2 Comments
Tags: 9/11, cyber, intelligence, movie plot, response, security, terrorist