|
By Richard Stiennon, IT-Harvest
Scenario planning is a useful technique for risk reduction. A group of key players in an organization are brought together to brainstorm possible events and their impact on business. Scenario planning, done rigorously, could help an airline hedge against rising fuel prices, a vaccine manufacturer scale up for a pandemic, or a bank prepare for a Distributed Denial of Service attack.
But scenarios have little value in public prognostications of future cyber attacks.
From a review of a 2001 book "Information Warfare" by Michael Erbschloe: "There's a realistic doomsday scenario described by the author, dubbed Pearl Harbor 2 (PH2), where a group of ten strategically trained hackers can disrupt $1 trillion (US) of economic activities over a sustained period. Offering day-by-day details of the first three weeks of the scenario, you should find much of the details familiar, like using email viruses for the initial outbreak. Overall, a well thought out scenario, and not all that too far fetched these days."
Scary stuff. Realistic? Not.
Winn Schwartau also wrote a book titled "Information Warfare," which Marcus Ranum calls "Science Fiction."
I would not fault those responsible for defending critical information infrastructure within their own organizations from postulating various forms of cyber attacks, but I would argue that there are enough attacks in evidence today to keep any IT department busy just defending against them.
Pundits extrapolate from the current state of vulnerability of most systems to predictions of massive power outages, financial collapse, and loss of command and control are falling into the scenario syllogism trap. Posing scenarios to support your anti-cyber war position can be just as dangerous.
Marcus Ranum is on the lecture circuit with his "Cyber War is BS" pitch. He uses scenarios to defend his position as well. Watch his Dojosec pitch here.
Ranum, self proclaimed "military historian," uses his reading of WWII history to attempt to compare cyber war to conventional warfare and dispute the existence of cyber war. As you listen to his talk note the polite skepticism from the audience.
A professor at the Naval War College has gone further. He postulates scenarios where offensive cyber attacks could be used by the United States in a "kinder gentler" means of war fighting. From a Wired article, Naval Postgraduate School professor John Arquilla proposes some scenarios: Diffusing tensions between Pakistan and India, stopping Russia from invading Georgia again, and stopping another Al Qaeda 9/11.
You can imagine the unintended consequences of this type of meddling. During times of heightened tensions Pakistan and India would not react calmly to any type of cyber interference.
Oops, I just argued from scenario. You can see how easy it is to fall in to the trap of speculation.
For now the best practice is to continue to focus on cyber defense. Cyber offensive scenario planning is not worth the effort other than for planning defenses.
As I complete the manuscript for "Surviving Cyber War" I am carefully editing out all scenarios. There is enough recent history of cyber espionage and targeted attacks to fill several books without resorting to fear mongering and raising the specter of cybergeddon.
Copyright © 2008 To Present · Information-Security-Resources.com
Richard Stiennon is Chief Research Analyst and founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors.
Only registered users can write comments.
Please login or register. |
