Letter: Article overstates vulnerabilities

For the same reason your car doesn’t have a self-destruct button, there is, in the vast majority of cases, no instant kill area where attacks are likely to have serious effect. Moreover, the nature and original design strategy of the Internet (peer-to-peer, intended to avoid a lethal nuclear attack taking out the whole Net) has worked amazingly well, again over time. The very things that limit security are those that preserve operability.I think it bears noting here that things like electricity-generating stations do not have control features that are remotely accessible over an insecure infrastructure. There is no Internet connection, there is no dial-up line, there is no radio frequency channel. They are, in every case I’ve been privy to, completely air-gapped from personnel not on site, which brings us back again to physical security measures. When one thinks about it, this makes very basic sense: There is no reason to create a method that allows nuclear-generating station workers to work off-site, for instance.Please don’t misunderstand — there are indeed security flaws that can be attacked over the Internet. But I am not aware of one that could be conducted on the strategic level. Anyone notice that last decade’s near-continuous malware attacks have nearly ceased?The two most common attack modalities that Bain didn’t really go into are physical (site) attacks and disinformation. Physical attacks are the easiest to implement and typically the least costly, and they can be far less complex. It bears noting that the terrorists in the 2001 attacks all obtained their identification either completely legally as residents or by bribery. No one tried to hack anything. And physical attacks have a history — and countermeasures — that go back as long as mankind’s recorded history.As to dissemination of false information, this is clearly a more easily exploitable attack vector, although the results are a bit murky. People still tend to accept what they read on the Internet as fact (although this, too, is becoming less and less the case). Could this be used to cause damage? I think so, but not on an instantly catastrophic level.Barring these two attack modalities, however, I cannot identify the strategic-level attacks Bain hints at, and I feel he overstates the vulnerability of various important targets.What do you think? Paste a comment in the box below (registration required), or send your comment to (subject line: Blog comment) and we'll post it.