Digital 9/11
This post is probably going to get me into trouble, but this stuff needs saying.
There’s been a sudden outburst of sanity today about this topic, so I feel obliged to throw in my 2¢.
A few weeks back I heard somebody say that we hadn’t yet seen a ‘digital 9/11’. I think what they meant here was some sort kind of event so catastrophic in its consequences that the world of IT security (I hate the term ‘cyber security’) would change forever. This got me thinking about impact and scale. The death toll on 9/11 was just short of 3000 people – the largest terrorist event ever, but a tiny proportion of the worldwide population. I would estimate that a far greater proportion of the worldwide computer population is falling victim to the various botnets and worms out there every single day. Those computers aren’t missed though, like the loved ones lost in 9/11. Malware can be removed. Systems can be rebuilt. Old machines can be consigned to the trash and new ones bought.
My take is that this isn’t really about scale. We see attacks every day that are large in scale, and this is what we live with as normal. So what about impact? This is where we head off into movie plot territory. Terrorists taking over nuclear plants, terrorists taking over safety critical systems in utilities, terrorists bringing down our financial systems. The movie plots work because we all know that these things have computers inside them, and we all know that those computers can go wrong. But that’s exactly the point – computers go wrong all the time. We’re used to that, and we work around that. Whether going wrong is caused by malice or incompetence really shouldn’t matter – we deal with so much incompetence so regularly that malice can in fact be treated as a special case of incompetence.
Will there be IT failures in the future – of course. Will some of these failures be caused deliberately (by people who we label as criminals, and a special subset that we label as terrorists) – yes. Will some of the failures cascade into high impact events – undoubtedly. Will this be the ‘digital 9/11’ that the chicken littles are screaming about (usually to get a big bag of money for some pet project) – I think not. Just as we shouldn’t be wasting resources on special anti terror schemes in the physical world (rather than just good old intelligence and response capabilities) the same is true in the online world. Be informed, and be ready to do something – whatever the cause.
Filed under: security | 2 Comments
Tags: 9/11, cyber, intelligence, movie plot, response, security, terrorist
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Zombie: Middleboxes that Don’t Snoop
- Thousands protest against Canary islands’ ‘unsustainable’ tourism model
- Commission proposes youth mobility between EU and UK
- DEA fuels moral panic over ADHD meds to justify its failed drug war
- Meta.ai Oh My!
- Looking for AI use-cases — Benedict Evans
- the biggest threat facing your team
- Why has Hugh Grant settled his phone hacking claim against the Sun?
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
Chris Swan's Weblog 
Nothing is beyond my imagination.! Computers, technology, is amateur land as far as I am concerned.
Who or what directs the tech. is what interests me. I have had some conclusions that I drew from reality. If it looks like a duck, quacks like a duck, walks like a duck? Look at the obvious in front of you. Pay attention, ! The duck could become the shooter.!
I must confess that you’ve lost me here. When I think about shooting ducks it’s because they’re tasty, not because they could pull a gun and shoot back.
The amateur versus professional issue is an interesting one. Online crime has become a business. A very profitable business, with less risk than other types of organised crime (e.g. drugs). The result is that we face a situation of professional attackers against mostly amateur defenders (as only the largest organisations can afford professional defenders).
Terrorism (online or otherwise) these days has become a mostly amateur activity. One of the more effective responses from 9/11 was the closing down of funding routes that would support professionals, but one of the great issues since then is that amateurs are more numerous and harder to detect. This led to Schneier’s comment about ‘terrorist special olympics‘, and I’m looking forward to seeing Four Lions as it’s the kind of black comedy that I know will have me falling around. Of course the next issue becomes the permeable boundary between profit motivated organised crime and dogma motivated terrorism. This is typically a one way street (from dogma to money) as peace breaks out in an area of unrest, but must remain a concern (though one that’s been scandalously overplayed by the media industry as they push the story that ‘pirate’ DVDs are funding Al Quaeda).