Are cyberterrorists for real?

U.S. struggles to distinguish joyriding hackers from statesponsored attackers

The debate over whether the United States faces imminent danger from cyberterrorist

attacks took a new turn last week when the top defender of the nation's

key information systems said "terrorism" may be too strong a word when describing

potential cyberthreats.

Richard Clarke, national co-ordinator for security, infrastructure protection

and counterterrorism at the National Security Council, said that while it

would be a "tough call" to tell the difference between an attack by hackers

and one launched by terrorists intent on disrupting national security, the

administration's cyberdefense programs are battling a perception problem

that stems from the misuse of the word terrorism.

"Maybe we shouldn't be saying 'cyberterrorism.' Maybe we should be saying

'information warfare,'" said Clarke, who spoke at a conference on cyberattacks

and critical infrastructure protection sponsored by the American Enterprise

Institute for Public Policy Research in Washington, D.C. "In the end, you're

going to know it when you see it," he said, referring to the difference

between joy-riding hackers and state-sponsored cyberattacks.

Clarke's comments underscore a significant problem for the Clinton administration,

which has failed to convince Congress to support some of its key cyberdefense

initiatives including the Federal Cyber Services initiative, which would

offer college students scholarships to study information security in return

for government service.

Experts agree that, to date, most of the major cybersecurity incidents

are best described as nuisance attacks, although many fear that a devastating

surprise attack, sometimes referred to as an "electronic Pearl Harbor,"

is inevitable.

This month, at a similar conference on Capitol Hill sponsored by The

Brookings Institution, experts blamed a Cold War budget mentality for shortcomings

in the government's information technology and security programs [FCW, June

19]. Jeffrey Hunker, senior director for critical infrastructure protection

at the NSC, said that although the government tries to be proactive, he

believes that "we are going to get nailed seriously" sooner rather than

later.

By not preparing for the worst-case scenario, we may be endangering

the public's civil liberties, according to Clarke, who argued that "a lot

of people are going to be willing to throw civil liberties out the window"

in an effort to recover from an attack that cripples large portions of the

nation's critical infrastructure.

Elizabeth Rindskopf Parker, former general counsel for the CIA and the

National Security Agency, agreed that preparation is crucial, and, in the

current legal system, defensive measures are more "workable" than offensive

ones. Overall, however, cyber-defense "is not well understood and is not

talked about sufficiently," she said.

Rep. Curt Weldon (R-Pa.), chairman of the House Military Research and

Development Subcommittee, said pretending the threats are not there is not

a solution, and he criticized the Clinton administration for decreasing

high-tech R and D spending. "We are seeing efforts by rogue groups to acquire

encryption algorithms and sophisticated tools," said Weldon, who spoke last

week at the GovTech 2000 convention in Washington, D.C. "The administration

has lulled the American people into a false sense of security.

John Pike, a defense analyst with the Federation of American Scientists, agreed that

the debate over the threat of cyberattacks to the nation's security has

been overblown. Although something much larger than the recent denial-of-service

attacks is likely on the horizon, Pike said he does not believe it will

be anything like an electronic Pearl Harbor.

"I hope that [Clarke's comments] will get the debate out of the realm

of cartoons and help people focus on real problems," he said. "Most of the

time I feel like I'm watching a really bad cartoon."