What Year is This?

I feel like I’m taking crazy pills here . . .

The Homeland Security Department finally named an assistant secretary for cybersecurity last year, and the Senate ratified the first international treaty on cybercrime.

The Computer Security Industry Alliance had lobbied for these achievements for more than two years and counts them as big wins, said acting executive director Liz Gasster. But the nation still lacks a comprehensive data security law, and DHS needs to develop response and recovery plans for disruptions of our critical infrastructure.

[…]

CSIA has set out a cybersecurity agenda for government for the last two years, with only indifferent results. In its Federal Progress Report for 2006, it gave the administration an overall grade of D because of failures to pass privacy legislation and to set clear priorities for future work.

It seems like just yesterday that RTM shut down the inter-tubes with his Sendmail experiment. In the aftermath CERT/CC was born (gov’t sponsored but run by the academy – a foreshadowing) and annual projections of a) the death of the Internet, b) the need for more cooperation, and c) the need for more legislation followed. In the mean time we’ve had a few Digital Battle of Wake Islands, the .com boom and bust (and .com bust-boom), too many parallels to Snow Crash to count and version .9 of Hari Seldon’s Encyclopedia Galactica.

Every year the same discussions, every year the same problems, every year more threats, every year we expose ourselves more and every year no forward progress. Why?

FID: Fear, Incompetence & Doubt

Dr. Stephen
Haag spends upwards of 80 hours each week on his computer, mapping out
terrorist attacks.

Haag, an expert in emerging technologies, believes the next attack on the U.S. will come not in the form of bombings or military movements, but from terrorists armed with computer keyboards, credit cards and Social Security numbers.

A calculated cyber identity strike could erase or manipulate the identities of millions of Americans, effectively closing the financial markets and crippling the economy. ATMs would fail, airports would shut down, banks would close–all transactions would cease, says Haag, 45, an associate dean at the Daniels College of Business at the University of Denver. […]

Read the rest if you must but the gist is this: terrorists buy stolen personal
identifying information (from, say someone who steals a Department of Veteran’s
Affairs laptop); they craft some code that would render your personal
information unrecognizable to computer systems; so now your credit cards don’t
work, you driver’s license comes up invalid, etc.; and the end result is that
everything shuts down because “the system” thinks you don’t exist.

I honestly
thought we had past the point where wackiness like this was even on the table.
I mean, how many ways can we tweak “weapons of…” to fit someone’s money-making
scheme?

Some
reality:

 

  • The
    average American has multiple credit cards that are processed by a variety of different
    card processors (not many, but several)
  • There
    are 50 different DMVs
  •  There
    is the Department of State (passport)
  •  There
    are umpteen institutions of higher learning that all issue their own IDs
  •  Etc.,
    etc., etc. . . .

This is my wheelhouse. Terrorists haven’t moved past the defacing web pages stage of
technical threat and suddenly they’re going to be producing uber-code that in
one fell swoop zaps you from virtual existence? The airports will shut down
because 1 in 10 IDs are invalid? Last time I checked the rent-a-cop looks at
your picture, the name on the license, the name on the boarding pass and if
they match off you go. 

If you’ve
got the skill to zap multiple, complex systems – whether it is with insiders or
from afar – you’re not going to waste your time targeting Johnny Citizen; it’s
called “the war on terror” not “the war on inconvenience.”