• On GameSpot: TGS 2008: Tekken 6 heads to the Xbox 360
advertisementAT&T Tech Support 360

November 23, 2005 11:44 AM PST

Newsmaker: Terrorism threat to Net overblown

By Tom Espiner
Special to CNET News.com

See all Newsmakers
Terrorism threat to Net overblown
Related Stories

Foreign powers are main cyberthreat, U.K. says

 November 22, 2005

Feds' Net-wiretap order set to kick in

 November 11, 2005

ACLU challenges Patriot Act

 November 2, 2005

Microsoft exec: ID cards pose security risk

 October 18, 2005
As one of the world's foremost authorities on security issues, Bruce Schneier has been a voice of reason in an industry where hyperbole is often rife.

Schneier, who has written several books on security and is the founder of Counterpane Internet Security, has previously criticized those who claim that cyberterrorism is a serious threat.

So, with the SANS Institute warning that hackers are changing their tactics and the NISCC, the British government body responsible for cyberprotection, claiming that foreign governments pose a serious threat to the U.K.'s critical infrastructure, we caught up with Schneier to get his take on the security landscape today.

Q: What do you think about the claim that foreign governments are a serious threat to the critical national infrastructure of a country, through government-led hacking?
Schneier: In general, these threats are overstated. Is there a danger to the critical national infrastructure from spying? Well, a lot of reports you read tend to be very muddled as to the details.

Do you think the threat from cyberterrorism is still overhyped?
Yes. The U.S. government gives a lot of money to fight terrorism, so cyberterrorism is hyped. I hear people talk about the risks to critical infrastructure from cyberterrorism, but the risks come primarily from criminals.

At the moment, criminals aren't as "sexy" as terrorists.

But at the moment, criminals aren't as "sexy" as terrorists. We should not ignore criminals, and I think we're underspending on crime. If you look at ID theft and extortion, it still goes on. Criminals are after money.

Hacking does seem to be more financially motivated now. Is there a "malicious marketplace," as SANS claims?
There is definitely a marketplace for vulnerabilities, exploits and old computers. It's a bad development, but there are definitely conduits between hackers and criminals.

Roger Cummings (director of the NISCC) said on Tuesday there is a danger that the links between criminals and hackers, and hackers and terrorists, will become stronger...Well, if we were making a movie, then that's what we'd do. I think that the terrorist threat is overhyped, and the criminal threat is underhyped.

What do you think about governments using the threat of terrorism to collect information on citizens and the implications of that on police powers?
It's very scary. This is a very complex issue--one I've written books about. My view is that we're faced with multiple threats. The worry is that while we are trying to defend ourselves against one threat (terrorism), we are actually making ourselves less secure. People are scared, and because they're scared they're handing over powers to the government and giving up their liberties. The threat of terrorism in the U.K. has led to national e-card debates and biometric passport discussions.

What are your views on biometrics in this context?
They're good for what they're good for, and bad for what they're bad for. They have their uses, and they have places where they're not useful. The all-important issue is that we think we're in danger and think that by using biometrics, we'll suddenly be safe. We should use them where they're valid.

How about ID cards?
In general, ID cards are a complete waste of money--a former MI5 (British internal security agency) director said that. It's all very well for me to say that, but it's nice to know Stella Rimington feels that way too.

The ID card debate in the U.K. is all about population control--it's about controlling immigration, not terrorism. It is unfortunate that the U.K. isn't having that debate properly.

So what will be the outcome?
There will be a massive erosion of freedoms in our culture. We are losing sight of the future. I know that's not good news--it's not fun, but it's true. We'll be less secure as a result, because we'll be in more danger from terrorists. There'll be an increase in the risk from terrorists we are creating, and we'll be giving the police state powers.

We waste money on electioneering that could be spent on actual security--investing in intelligence and better emergency response.

How can anyone feel safe in a world created by George Bush?

Tom Espiner of ZDNet UK reported from London

More Newsmakers

See more CNET content tagged:
cyberterrorism, terrorism, criminal, ID card, threat

Add a Comment (Log in or register) 16 comments
Cyber terrorism is real
by n3td3v November 23, 2005 12:00 PM PST
Sorry to speak on behalf of hackers, but cyber terrorism is real. These security experts much be out of touch with the latest chatter thats going on. Hackers are actively developing methods of multi vector attacks on corporate and gov infrastructure. The BIG ONE is only a matter of time away. After a cyber attack hapepns, these same guys will be saying "not enough was done before hand to prevent international backbones going down".... I guess they need a wake up call.
Reply to this comment
Criminals are after money?
by n3td3v November 23, 2005 12:05 PM PST
Yeah, and you don't think hackers aren't offered money to bring down say AMERICAN interests in relation to cyber terrorism. Money is very much a part of mainland and cyber terrorism. Will someone get these cyber security experts a clue on the world?
Reply to this comment View reply
Easy does it Bruce...
by Inetsec November 23, 2005 12:25 PM PST
Although I'd agree that cyber terrorism is somewhat over hyped I'd be extremely careful not to put your considerable weight behind turning all the attention to ID theft and cyber crime (opinion wise - physically you are somewhat skinny).

You have quite a few ears out there listening to what you have to say and I think you and I both know that as far as ID theft is concerned, ID theft is mainly related to dumpster diving and mailbox pillaging. There is not anything cyber related - other than maybe purchases made under an assumed identity. That is not a cyber related issue; it's an education / physical security issue.

The "old computer" issue and the rest of the interview also has me in somewhat in a snit. I agree to a point that old computers and the future degradation of rights is an issue, but come on Bruce. Were you in a bad mood the day of the interview?

Most of the "latest / greatest" ID compromises were accomplished via "recently deployed" systems (NT4 and above ? and yes there were other OS?s involved) that were just not kept up to date with current patches or had bad custom programs written by the violated company installed on them. That IS NOT an issue for Government spending. That is an issue for the violated companies to address.

One thing that I would hope that you and I could agree on is that "better, faster, cheaper" never works. Pick two, but trying to do all three spells disaster.
Reply to this comment
Bush swipe really necessary?
by ORinSF November 23, 2005 12:47 PM PST
If the author feels that George Bush is relevant to the discussion, by all means he should address it. Instead we get a little drive-by at the end of the article.

It's easy for one to assume that everyone agrees with their politics and that such digs are harmless. But to a diverse audience, it comes off as glib and undermines what came before it.
Reply to this comment View reply
He has done this before...
by jcpole November 23, 2005 6:15 PM PST
I don't understand why Bruce feels that he is competent to
discuss this particular issue. He is a cryptographer. He made
similar comments a few months ago, and he was roundly
criticized for being out of his element.

The threat of cyberterrorism is very real, and it is unfortunate
that people like Bruce want to bury their heads in the sand.

When Bruce talks about cryptography, I listen. When he talks
about security issues and cyberterrorism, I don't waste my time.
I'm not even sure how he got started talking on this particular
topic - perhaps he was offered enough money that he felt it was
okay to make a fool of himself talking about a topic that he is
not qualified to address.

As far as the Bush comment, C|Net has always had a bias in this
area. They are usually more subtle about it, but it shows itself in
snide remarks like this one. Every time I see drivel like this, I
lose a little more respect for C|Net as a "journalistic"
organization. Even if Bruce said it (which would not surprise me
at all, by the way), there is no way that C|Net should have
printed it.

Jamie
Reply to this comment View all 2 replies
define the threat
by onexge November 23, 2005 9:12 PM PST
The classic definition of terrorism requires flamboyant acts of violence that physically harm the public in general, and the ruling class in particular, forcing the state to pursue a policy of repression which increases sympathy to the revolutionary cause, leading to a spiral of increasingly violent terrorist acts and repressive response. Provide an example of a cyberterrorist act and explain how it will further the cyberterrorists' aims.
Reply to this comment
What's with the Bush Bashing?
by Donperry November 27, 2005 7:37 AM PST
Please leave your personal political views out of your articles. We're
not interested in them. Up until the point you mentioned Bush, I
thought your article was fairly intelligent. Terrorism has been
around long before Bush was ELECTED President. He just happens
to be the first U.S. President with guts enough to stand up to it.
Liberals like you just never seem to get it.
Reply to this comment View reply
Hit the nail on the head
by jzar November 27, 2005 1:39 PM PST
Bruce hits the nail on the head by identifying the real reason we keep hearing about "cyberterrorism": money. "Cyberterrorism research" is just another trough for the pigs to feed at. With the government throwing billions of dollars at the problem, it serves certain companies' and researchers' interest to exaggerate the threats posed by terrorism to the Internet. At the same time, real threats like those posed by natural disasters (remember Katrina?) get ignored.
Reply to this comment
Powered by Jive Software

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET