The myth of cyberterrorism: there are many ways terrorists can kill you—computers aren't one of them

Washington Monthly, Nov, 2002 by Joshua Green

A GAIN AND AGAIN SINCE SEPTEMBER 11, President Bush, Vice President Cheney, and senior administration officials have alerted the public not only to the dangers of chemical, biological, and nuclear weapons but also to the further menace of cyberterrorism. "Terrorists can sit at one computer connected to one network and can create worldwide havoc," warned Homeland Security Director Tom Ridge in a representative observation last April. "[They] don't necessarily need a bomb or explosives to cripple a sector of the economy, or shut down a power grid."

Even before September 11, Bush was fervently depicting an America imminently in danger of an attack by cyberterrorists, warning during his presidential campaign that "American forces ale overused and underfunded precisely when they are confronted by a host of new threats and challenges--the spread of weapons of mass destruction, the rise of cyberterrorism, the proliferation of missile technology." In other words, the country is confronted not just by the specter of terrorism, but by a menacing new breed of it that is technologically advanced, little understood, and difficult to defend against. Since September 11, these concerns have only multiplied. A survey of 725 cities conducted by the National League of Cities for the anniversary of the attacks shows that cyberterrorism ranks with biological and chemical weapons atop officials' lists of fears.

Concern over cyberterrorism is particularly acute in Washington. As is often the case with a new threat, an entire industry has arisen to grapple with its ramifications--think tanks have launched new projects and issued white papers, experts have testified to its dangers before Congress, private companies have hastily deployed security consultants and software designed to protect public and private targets, and the media have trumpeted the threat with such front-page headlines as this one, in The Washington Post last June: "Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say."

The federal government has requested $4.5 billion for infrastructure security next year; the FBI boasts more than 1,000 "cyber investigators" President Bush and Vice President Cheney keep the issue before the public; and in response to September 11, Bush created the office of "cybersecurity czar" in the White House, naming to this position Richard Clarke, who has done more than anyone to raise awareness, including warning that "if an attack comes today with information warfare ... it would be much, much worse than Pearl Harbor."

It's no surprise, then, that cyberterrorism now ranks alongside other weapons of mass destruction in the public consciousness. Americans have had a latent fear of catastrophic computer attack ever since a teenage Matthew Broderick hacked into the Pentagon's nuclear weapons system and nearly launched World War III in the 1983 movie WarGames. Judging by official alarums and newspaper headlines, such scenarios are all the more likely in today's wired world.

There's just one problem: There is no such thing as cyberterrorism--no instance of anyone ever having been killed by a terrorist (or anyone else) using a computer. Nor is there compelling evidence that al Qaeda or any other terrorist organization has resorted to computers for any sort of serious destructive activity. What's more, outside of a Tom Clancy novel, computer security specialists believe it is virtually impossible to use the Internet to inflict death on a large scale, and many scoff at the notion that terrorists would bother trying. "I don't lie awake at night worrying about cyberattacks mining my life," says Dorothy Denning, a computer science professor at Georgetown University and one of the country's foremost cybersecurity experts. "Not only does [cyberterrorism] not rank alongside chemical, biological, or nuclear weapons, but it is not anywhere near as serious as other potential physical threats like car bombs or suicide bombers."

Which is not to say that cybersecurity isn't a serious problem--it's just not one that involves terrorists. Interviews with terrorism and computer security experts, and current and former government and military officials, yielded near unanimous agreement that the real danger is from the criminals and other hackers who did $15 billion in damage to the global economy last year using viruses, worms, and other readily available tools. That figure is sure to balloon if more isn't done to protect vulnerable computer systems, the vast majority of which are in the private sector. Yet when it comes to imposing the tough measures on business necessary to protect against the real cyberthreats, the Bush administration has balked.

Crushing BlackBerrys

When ordinary people imagine cyberterrorism, they tend to think along Hollywood plot lines, doomsday scenarios in which terrorists hijack nuclear weapons, airliners, or military computers from halfway around the world. Given the colorful history of federal boon-doggles--billion-dollar weapons systems that misfire, $600 toilet seats--that's an understandable concern. But, with few exceptions, it's not one that applies to preparedness for a cyberattack. "The government is miles ahead of the private sector when it comes to cybersecurity," says Michael Cheek, director of intelligence for iDefense, a Virginia-based computer security company with government and private-sector clients. "Particularly the most sensitive military systems."