Saturday, July 11, 2009

Cyber-Attacks "No More Harmful than Spam" - So Far

The three recent cyber-attacks on South Korean and American networks have been serious. The most recent, a distributed denial of service, or DDOS, attack involved upwards of 20,000 infected computers in South Korea, and was aimed at seven major business and government websites in South Korea (CNN)

But, as far as we know, nobody died as a result of the DDOS attack. One news service described the attacks as "no more harmful than spam'" (CBC)

So far, we've been lucky.

Code discovered in the American power grid two years ago could have interfered with the power supply. (CNN) If there is no change in the status quo, I'd be surprised if, in the next decade, somebody doesn't manage to take down America's power grid, or another part of our infrastructure.

Sneak Peek at Power Grid Failure: 1995, Chicago

If the power grid was compromised in, say, July, we could see results similar to Chicago's 1995 heat wave, where about 600 or 700 people died. (Annals of Internal Medicine, The New England Journal of Medicine) That time, Chicago had power, but it was really hot.
"...From July 12 through July 16, 1995, in Chicago, the maximal and minimal temperatures reached unprecedented highs, and the high temperatures were accompanied by extremes of relative humidity...." (The New England Journal of Medicine)
A more conventional academic approach to the disaster says that it wasn't the heat. Someone wrote a book saying that not having enough government services, and apathy, were at least partly to blame. (University Press, Chicago)

So the Heat Index is 100 and the Power Goes Out: How Bad Could That Be?

If malicious software took down a large part of America's power grid in July or August, my household would be inconvenienced, but we'd be okay. We live in a small town in central Minnesota. Even if it was a hot, sticky week, we could move into the basement, wrap the freezer in blankets, and wait it out.

I'm pretty sure that most people living in cities wouldn't have that option. There's only so much room in the basement of high-rise apartments.

Finger-Pointing Knows No Borders

Meanwhile, in South Korea, the comparatively routine sequence of claims that the country's intelligence agency didn't see the attacks coming, that it did, but that the rest of the government didn't do something, and so on, are making their way through the press. (The Korea Times, The Korea Herald)

Cyber-Attacks: Business-as-Usual, Feel-Good Solutions, and Thinking for the Long Haul

The CNN article I'm using for an example is in their "World Business" section, so the emphasis on the criminal aspect of malicious activity on the Internet is somewhat understandable.

It's a Crime

However, it impressed me how the article stressed how events like the cyber-attacks on American and South Korean government targets were compared to identity theft and similar for-profit actions against individuals and businesses:
"The death of Michael Jackson and Internet attacks in the United States and South Korea share a cyber-crime connection...."

"...The fake Michael Jackson snares and the large-scale attack in South Korea illustrate the pipeline of cyber crime...."

"...Internet crime has evolved from the vandalism of early worms to schemes to bilk users out of personal information and cash. Now there are more incidents like the cyber attack in South Korea and Washington, which nation-states can use in military or political conflicts...." (CNN) [emphasis mine]
That third reference was in the fourth-to-last paragraph, right after a brief discussion of the hazards that a hotel's Web page might pose.

I'll heartily agree that an attempt to get someone's credit card number, and an attempt to read classified information or bring down a military information network are both activities which are both not good.

But, although the latter is, in a sense, "criminal," I think it is a mistake to treat the creation of phony Michael Jackson fan sites and assaults on a government's information system as equivalent activities.

America had a long record of treating terrorist attacks as essentially criminal matters in 1993, when Sheikh Omar Abdel-Rahman masterminded the first attack on New York City's World Trade Center. Arguably, it took another, more successful, attack in 2001 to jolt some of America's leaders into accepting the idea that the jihad against the West was more than an unconnected series of criminal acts.

From the looks of things, quite a few people have yet to make the connection, when it comes to attacks on our information system.

Okay, Let's Say These Attacks are Attacks, Now What?

I discussed an emotionally satisfying but debatably sensible argument for retaliation in kind yesterday. (July 10, 2009)

Briefly: An op-ed writer had, I think correctly, said that a purely defensive posture against cyber-attacks was imprudent; He then proposed retaliating with a similar attack against North Korea's information systems.

Even assuming that there's reasonable proof that North Korea is the source of the recent attacks - and I think they're the leading suspect - I am not at all convinced that a 'tit for tat' approach would work. Yesterday, I suggested blocking all information access to North Korea as a means of dealing with the immediate issue of protecting our information systems.

After that, short of a 'Nuke Pyongyang' approach, there isn't an obvious solution to the problem of what to do with North Korea's leaders. It's difficult to see what would affect the policies of a country whose leaders give every indication of being unresponsive both to the opinions of the world's nations and to the needs of their subjects.

If nothing changes, I fear that military force will be needed. On the other hand, considering the age of North Korea's leaders, we can wait for Kim Jong Il and some of the top generals to die: and hope that the dynasty's next generation is a little more interested in the welfare of North Koreans.

We Need More San Marinos and Fewer North Koreas

In the long run, I think many problems we have with criminal activity on the Internet will be more easily solved when there are more nations like Brunei, Japan, San Marino and Singapore: with healthy economies, literacy rates in the nineties, and a vested interest in protecting individuals and businesses from criminal activity as well as terrorism.

But that's getting somewhat beyond the scope of this blog.

Related posts:
In the news:
Background:

No comments:

Unique, innovative candles


Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle Store

Blogroll

Note! Although I believe that these websites and blogs are useful resources for understanding the War on Terror, I do not necessarily agree with their opinions. 1 1 Given a recent misunderstanding of the phrase "useful resources," a clarification: I do not limit my reading to resources which support my views, or even to those which appear to be accurate. Reading opinions contrary to what I believed has been very useful at times: sometimes verifying my previous assumptions, sometimes encouraging me to change them.

Even resources which, in my opinion, are simply inaccurate are sometimes useful: these can give valuable insights into why some people or groups believe what they do.

In short, It is my opinion that some of the resources in this blogroll are neither accurate, nor unbiased. I do, however, believe that they are useful in understanding the War on Terror, the many versions of Islam, terrorism, and related topics.