Taking Responsibility

As the world's political leaders counsel patience and perseverance in a type of war never before waged, we risk enormous peril if we take our eyes off the cyberfront.

As Attorney General John Ashcroft fielded reporters questions last Tuesday about the attack on the World Trade Center and the Pentagon, one journalist asked if a new computer worm, discovered only hours earlier, was in any way related to the terrorist strikes. It was not, Ashcroft assured the nation - or at least, there was as yet no evidence linking it to Osama bin Laden and his ilk.

Somehow that was not altogether reassuring. Yes, it suggested that the same evil minds who plotted the deaths of thousands and the destruction of our national icons in a relatively low-tech assault had not evinced the technological sophistication to attack our computer networks. Not yet, anyway.

But it also reminded us that the numbers of our invisible enemies are growing each day, turning our commitment to freedom and openness into sundry weapons capable of destroying us.

It is no exaggeration to describe the creation of computer viruses and worms as terrorism. While none has yet threatened loss of life, as our culture grows increasingly dependent on the network of networks to organize and maintain our social, commercial, military and political institutions, some highly sophisticated worm will eventually wield deadly powers. It will not kill through physical assault, but through deprivation - emergency supplies cut off, urgent calls for help unheard, defenses unplugged. It will kill by throwing crucial institutions into chaos by simply erasing or corrupting the data on which we increasingly depend for daily sustenance.

As the worlds political leaders counsel patience and perseverance in a type of war never before waged, we risk enormous peril if we take our eyes off the cyberfront. In some ways, digital terrorism will be even harder to combat than suicide bombers and elusive snipers - first, because the attackers are often armies of one whose motivation is unknown, and second, because so much of our aggregate defenses depends on private companies whose allegiances will always be divided between social responsibility and profits.

As intoxicated as weve become with the notion that the market must decide all things commercial, software developers have proven themselves to be socially irresponsible by consistently releasing products that are vulnerable to attack. Surely, the leaders of the computer industry - men and women cited as visionaries at every opportunity - have realized that network terrorism is an escalating war. Its time to adopt and enforce industry standards with enough teeth to make them stick.

That said, before we start pointing fingers at Microsoft, I suggest we take a long hard look in the mirror. How many of us have been vigilant in applying the patches developers have made readily available - often proactively? How many of us have circumvented password protections because we couldnt be bothered? How many can say we have been completely vigilant in monitoring firewalls and network diagnostics? How many of us, in fact, have been asleep at the wheel?

Its not Microsofts job to protect us from ourselves, from our inertia or our unwillingness to invest human and capital resources in our own barricades. Its not Microsofts job to force ISPs to wage a cooperative war on denial-of-service attacks. Nor can Microsoft, as large as it is, act as the worlds software police or central administrator of defensive information. That role lies with industry and government, which have so far compiled a very sorry record in collaborating against cyberterrorism.

And finally, a great deal of responsibility lies with the hacker community, which consistently criticizes worm and virus attacks and denies any responsibility for their existence, but in truth condones a shadowy subculture that nurtures these terrorists. Three years ago, IBM sponsored a daylong seminar on cyberforensics at its headquarters in Armonk, N.Y. The event drew some of the brightest lights in the hacker world, but when one speaker attempted to distinguish between "black hat" and "white hat" hackers, he was booed. Hacking was "not about morality," one member of the audience shouted.

In the immortal words of Harry Truman: bullshit! There are no moral shades of gray here. We cannot condone the argument put forth by social misfits at keyboards that Microsoft products must be attacked to expose their vulnerabilities. Everyone knows there are responsible ways to hack a product. Releasing a worm or otherwise attacking an undefended network is not among them. Its time the hacker community weeded out the evil in its midst.

The bottom line is that we are already engaged in an escalating confrontation that holds frightening consequences for our economy, culture and well-being. Winning the war against cyberterrorism will require never-ending vigilance - and patience and perseverance - on the part of all of us.

Rob Fixmer is Editor-in-Chief of Interactive Week. He can be reached at [email protected]