There was just one problem with the account: It wasn't true.
A hacker did break into the computers of an Arizona water facility, the Salt River Project in the Phoenix area. But he was 27, not 12, and the incident occurred in 1994, not 1998. And while clearly trespassing in critical areas, the hacker never could have had control of any dams--leading investigators to conclude that no lives or property were ever threatened.
"It's like the children's game of 'telephone,'" said Gail Thackery, assistant attorney general for Arizona and the prosecutor on the Salt River hacking case. "You get the reality at one end and, at the other end, something completely different."
The misreported incident serves as a metaphor for today's pressing debate over the Internet's vulnerability to attack. While warnings pervade government and the media, doomsday scenarios of cyberterrorism that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory.
Although it is possible for electronic intrusions to damage infrastructure and threaten physical danger, taking control of those systems from the outside is extremely difficult, requires a great deal of specialized knowledge and must overcome non-computerized fail-safe measures. As a result, government and corporate security experts--while careful not to dismiss the gravity of the issue--point to this indisputable fact: It is still easier to bomb a target than to hack a computer.
"If we had so many dollars to spend on a water system, most of it would go to physical security," said Diane VanDe Hei, executive director of the Association of Metropolitan Water Agencies and point person for the Information Sharing and Analysis Center (ISAC) for the water utilities.
In a so-called "digital Pearl Harbor" exercise sponsored by the U.S. Naval War College and Gartner last month, analysts posing as terrorists were able to simulate a large-scale cyberattack on the nation's infrastructure. But to do so they needed $200 million, high-level intelligence and five years of preparation time. The college concluded that such an offense could cripple communications in a heavily populated area but would not result in deaths or other catastrophic consequences.
Yet the hyperbole about an Internet attack frequently overshadows common sense. On Sept. 11, it took less than 24 hours after four passenger jets were used as weapons of mass destruction for cries of cyberterrorism to emerge as the next great threat, triggering calls for new legislation to broaden the authority of law enforcement agencies.
"Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," said Rep. Lamar Smith, R-Texas, in a statement heralding the House's passage of the Cyber Security Enhancement Act last month. His favorite tag line: "A mouse can be just as dangerous as a bullet or a bomb."
That sort of rhetoric is why many dislike the term "cyberterrorism." Ambiguity over its definition--and, therefore, which threats are real and which are not--has confused the public and given rise to countless myths. The phrase has become a catchall buzzword that evokes nightmare images that can be exploited to support political agendas ranging from stronger surveillance authority to tighter immigration controls.
"If you say cyberterrorism, you confuse people," said Richard Clarke, President Bush's special adviser for cybersecurity. "Osama bin Laden is not going to come for you on the Internet."
Cyberattacks come in two forms: one against data, the other on control systems. The first type attempts to steal or corrupt data and deny services. The vast majority of Internet and other computer attacks have fallen into this category, such as credit-card number theft, Web site vandalism and the occasional major denial-of-service assault.
Control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure, such as "distributed control systems" that regulate water supplies, electrical transmission networks and railroads. While remote access to many control systems have previously required an attacker to dial in with a modem, these operations are increasingly using the Internet to transmit data or are connected to a company's local network--a system protected with firewalls that, in some cases, could be penetrated.
Still, Clarke and other security officials say any damage resulting from electronic intrusion would be measured in loss of data, not life.
"It would be relatively easy to conduct a cost-free or risk-free attack given the endemic vulnerabilities in our system," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University and a former director of the National Infrastructure Protection Center, the cybersecurity arm of the FBI. "It would be harder to kill people or have a lasting effect using cyberattacks."
It is true, however, that data attacks could have severe consequences without causing deaths. Many power companies and water utilities are operated with networks of computer-controlled devices, known as supervisory control and data acquisition (SCADA) systems, which could be hacked.
SCADA systems could be attacked by overloading a system that, upon failure, causes other operations to malfunction as well, said John Dubiel, a Gartner consultant who worked on the electrical power attack in last month's war games. Such domino effects have been seen in incidents resulting from natural events.
In 1996, the power along much of the West Coast corridor went out for nine hours after a tree branch fell on some power lines and, in combination with several other problems, caused a cascading failure. In 1990, a similar event with an AT&T switch touched off a chain reaction that shut down long-distance communicationS across the United States.
"The system attacks itself in these cases," Dubiel said.
Making matters worse, more than 80 percent of such critical infrastructure is privately owned, and in many cases the companies have not been sufficiently educated about information security until recently. Security consultants have attested that many utilities have an indirect path to the Internet from their SCADA master terminals.
In November 2001, 49-year-old Vitek Boden was sentenced to two years in prison for using the Internet, a wireless radio and stolen control software to release up to 1 million liters of sewage into the river and coastal waters of Maroochydore in Queensland, Australia.
Boden, who had been a consultant on the water project, conducted the attack in March 2000 after he was refused a full-time job with the Maroochy Shire government. He had attempted to gain access to the system 45 times, and his last attempt proved successful, allowing allowed him to release raw sewage into the waterways.
"Marine life died, the creek water turned black and the stench was unbearable for residents," said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.
That the facility failed to notice the first 44 attempts speaks volumes about the state of security at public utilities. In a 1997 survey of 50 utilities, then-graduate student Barry C. Ezell, a captain in the U.S. Army, found that 40 percent of water facilities allow their operators direct access to the Internet, and 60 percent of the SCADA systems could be connected by modem.
Ellen Vancko, a representative for the North American Electric Reliability Council, said such access should not always be considered unsafe. "All the electric companies are connected to the Web in one way or another," she said. "But that doesn't mean our control systems are hooked up to the public Net."
Granted, but an Internet connection does provide one more way for an electronic intruder to get into a system. Chris Wysopal, director of research and development for digital security firm @Stake, said he first looks for connections to the Net when called in to analyze the security of an infrastructure network.
"Whenever we see a control system connected to the Internet, that is scary. There is no need for it, except for productivity, and when you are talking about public safety, you should err on the side of security," said Wysopal, whose company has been hired for such audits only since Sept. 11. "We found a power plant where all the control systems had their administrative systems set to the same password."
Because firewalls and other internal protections are not always adequate, risk levels are increased exponentially if networks are connected to the Internet.
"Are we vulnerable? Absolutely. We have the massive bowl of spaghetti between the Internet, phone lines, and extranets, and no one can map it," said Assistant Attorney General Thackery. "We have miles and miles and miles of wire and none of it is secure. And we have all these windows and doors that are open, and they are still open."
She noted that the Net played a major role in a well-publicized incident in 1989, when the Legion of Doom hacker group seized control of much of the infrastructure of Southern Bell's telephone network. During the attack, the hackers could have tapped phone lines and even shut down the 911 system.
BellSouth "had 42 people that I knew of on 24-hour emergency alert to keep control of their network," said Thackery, who was forced to use an encrypted phone in the Secret Service's office in Phoenix because her line had been tapped. "To me, that's one of the scariest scenarios, and these were all college kids. Just pranksters."
Yet even the most notorious incidents have fallen well short of the type of massive destruction envisioned in some of the more imaginative warnings about cyberterrorism. The Queensland incident, for instance, claimed no lives and cost just AUD$13,000 to clean up, and it was accomplished only with extensive inside knowledge.
Wysopal and many other security experts readily acknowledge that wide-scale infrastructure disruption is no easy feat. Even if an intruder manages to break in, he said, commandeering a system "still requires a fairly sophisticated skill set."
To talk of threats to data and infrastructure only is to miss the soft targets threatened by something like 'assassination politics."
People are always the weakest link and they might easily be stampeded away from all Govt by a few net arranged contract killings.Anarchy.