Cyber-Terrorism and How We Should Respond

We should not see greater defenses as our only option to protect ourselves.

July 10, 2009 — -- When does a cyber attack by another nation cross the line and become an official act of war?

I suspect that I wasn't the only person who asked himself that question this week -- and I hope that some of those people were at the highest levels of the federal government.

As I'm sure you read or saw on the news, beginning on the Fourth of July and continuing well into the week, government and private company Web sites in the United States and South Korea were attacked by unidentified hackers who tried to crash them. Target institutions in the U.S. included the departments of Transportation, State and Treasury, the White House (reportedly), the New York Stock Exchange, Yahoo and the Federal Trade Commission.

The type of attack was a so-called "distributed denial of service," a classic hack that attempts to overwhelm targeted sites with massive amounts of data -- and thus freezes out access by anyone else.

In this case, the vehicle appears to have been a well-known software "worm" that was reprogrammed -- and not particularly well, it seems -- for the task. Still, for all of its crudeness, the attack did work. In the U.S., some sites were down for as much as 24 hours. In South Korea, some remained crashed Thursday.

There have been reports that officials in both countries say the attacks appear to have been launched from inside North Korea but refuse to place the blame any more precisely.

Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity black hole called the People's Republic of North Korea spontaneously decided to hack the Web sites of another country's government and largest corporations.

We all know why Washington (and to a lesser degree, Seoul) doesn't want to point fingers. After all, once you fix blame for an act of aggression, you're then supposed to do something about it. And, the reasoning goes, you don't want to make Pyongyang angry because those guys are a bit, well ... unpredictable. They could do anything, like maybe aim twice as many missiles at Hawaii next time, or put two freighters filled with weapons to sea.

So instead, we resort to our usual response to these kinds of cyber attacks: We blame ourselves. And that's why, right on schedule, the feds, security experts, and bloggers all shook their heads in dismay and in unison decried the obvious failure of our security programs to protect our vital online information. Once again, we sat back, waited for another attack -- and when it succeeded, at least partially, we wrung our hands and asked why we can't defend ourselves better.

I think the real question we should be asking ourselves is: Why do we continue to see defense as our only option? After all, if there is one thing every cop and security expert knows, it is that given enough time, a burglar can break into any home, no matter how tightly locked, and a robber can crack any safe, no matter how elaborate. So, why have we convinced ourselves that our online property can remain safe behind an electronic Maginot Line, no matter how tall and thick?

As you may have guessed by now, I'm not a fan of hacking. And I never have been -- not even in the romantic old days of clever young programmers taking on "big computing." One reason was that, having grown up with these folks in Silicon Valley, I saw them less as juvenile Robin Hoods liberating the computer world from oppression, and more as just a bunch of arrogant gearheads who wanted to show they were smarter than their more successful, mainstream peers.

Just as important, I've always been haunted by secondary consequences of hacking -- something apparently lost on the perpetrators. When I read about a virus or worm crashing millions of computers and processors, I remind myself that some of those devices are embedded within or wired to things like fetal monitoring systems, surgical equipment, robotic bomb demolition equipment ... and ICBMs.

Have any hacks of the past killed babies or other vulnerable people? Will they? Do hackers even care -- or do they like the idea that they have the power to not only cripple major institutions, but even kill by proxy?

Finally, my time as an investigative reporter proved to me that today's clever new hack by some brilliant, resentful kid in his parent's basement is tomorrow's weapon of choice for some really nasty people around the world: mobsters, child pornographers, totalitarian regimes, enemies of freedom everywhere.

Would anyone be surprised if a "group or state" -- cough, cough *North Korea* -- this time used a repurposed piece of old malware, no doubt developed by some U.S. hacker a decade ago, against us?

The awful irony to all of this is that, having spent a generation now figuratively patting hackers on the heads for their crimes and telling them not to do it again, we seemed to have put ourselves into the trap of treating all such assaults as a form of victimless crime, a kind of practical joke perpetrated by people with more brains than sense. Sure, we send one or two to prison for awhile, but we're more likely to hire a successful hacker to help us fight the next generation of his ilk ... once more, taking a defensive posture.

And this is what that attitude has earned us. One of the most interesting bits of news to come out of the coverage of this cyber attack was the fact that, according to the Department of Homeland Security, the rate of online security breaches on government and private institutions in this country is skyrocketing -- 72,000 last year, double the number of the year before.

Meanwhile, the occasional story will bubble up in the mainstream media about the Chinese government sponsoring teams of hackers to probe our defenses. Similar stories have appeared about terrorist groups in the Middle East. And we know that the Iranian government, during the recent protests, went to great lengths to shut down outside coverage in the form of blogs, tweets and YouTube videos.

At what point do we decide that such assaults on our sovereignty, our institutions and our fellow citizens are unacceptable? When do we get out of our defensive crouch and actively go after governments that are attacking us through cyberspace? Will it be after a Web Pearl Harbor catches us by surprise and crashes our financial markets -- or kills thousands of people trapped in computer-controlled transportation systems run amok, or in a darkened city trapped in a blizzard or heat wave, or babies in microprocessor controlled incubators?

And long before then, why can't we respond to such an attack by a foreign government not with bombs or missiles, but by crashing that country's digital infrastructure? The worm turns, so to speak.

Or will we decide once again that the fault was our own, that the perpetrators can't be identified anyway, and that what we really need are more robust cyber-security systems -- and pray that the next attack doesn't kill us, too?

TAD'S TAB -- If you ever happen to find yourself sucked back through time in a cosmological worm hole, having this page of information would be a big plus. Topatoco.com is offering a time travel cheat sheet (and T-shirt!), http://www.topatoco.com/graphics/qw-cheatsheet-print-zoom.jpg, chock full of all the knowledge that humans have used to create the modern world. Some useful bits include "slower moving air has more pressure," and "the number of protons in an atom determine what element it is." Although it may seem like basic scientific and medicinal information, in a time machine this compendium would be a life-or-death necessity -- or make you very, very rich in 1391 A.D.

This is the opinion of the columnist and in no way reflects the opinion of ABC News.

Michael S. Malone is one of the nation's best-known technology writers. He has covered Silicon Valley and high-tech for more than 25 years, beginning with the San Jose Mercury News as the nation's first daily high-tech reporter. His articles and editorials have appeared in such publications as The Wall Street Journal, The Economist and Fortune, and for two years he was a columnist for The New York Times. He was editor of Forbes ASAP, the world's largest-circulation business-tech magazine, at the height of the dot-com boom. Malone is the author or co-author of a dozen books, notably the best-selling "Virtual Corporation." Malone has also hosted three public television interview series, and most recently co-produced the celebrated PBS miniseries on social entrepreneurs, "The New Heroes." He has been the ABCNews.com "Silicon Insider" columnist since 2000.