There’s an old saying about Internet experts. How do you tell the ones who are any good? They don’t ever use cyber as a prefix for random words.

Most people who talk about ‘cyber-warfare’ are full of bunk, and most of what you know about computers, networks, computer security and the Internet from television programmes and movies is woefully wrong.

There's search engines. You know how to use them. Go for it. Your TV shows and the movies you see have about as much relation to what computers really do and how they actually work as unicorns and fairies have to the Fine-Structure Constant. Pretty much every time one of these characters gets involved with a computer the screenwriter makes something up. Shocking, I know. This is a process called dramatisation. Each story needs computers to work in certain ways, so for that story they do.

A producer or director might think that the computer isn’t visually exciting enough, so they make it more exciting. It’s the same principle where Vic Morrow gets to fire ten thousand rounds from a six-shooter without reloading. Reloading is less exciting than shooting.

So, if you’ve learned anything from most of these programmes, it’s rubbish, I’m sorry to say.

Now we get onto various so-called ‘cyber-warfare’ experts. They’ll have you believe that water-supplies can be disabled, electrical grids can be shut down, trains blown up (seriously), and all sorts of other systems nobbled, discombobulated, banjaxed and disrupted by ‘cyber-warriors’ of ‘cyber-armies’, should a ‘cyber-war’ ever break out.

Seriously, wtf?Hokum and horse-feathers.

Either you’re being lied to, or the poor saps telling you this haven’t thought things through and this, while not actively lying, aren’t actually telling the truth either.

The truth about ‘cyber-warfare’ doesn’t sell a lot of books, or get you interviewed on National television.

Yes, real software and real systems have vulnerabilities. Methods by which a determined and lucky person might be able to slow down, disrupt or occasionally gain entry to a computer system that they’re not supposed to.

It’s true that people can, and do discover and make use of these vulnerabilities to do just that.

It’s like seeing a particular make, model and mounting of door-lock and knowing that you can spring it open with the right bit of wire, or that there are only twelve different keys that opens that sort of lock (and you’ve made copies).

Where you’re being misled is in the notion that ‘cyber-attacks’ can be coordinated, or targeted in any effective way.

This sort of intrusion is actually largely opportunistic, based mostly on chance or on luck.

On the telly tonight was a fellow who claimed that trains could be blown up by cyberwarriors.

Someone donate a train and see if he can find anyone who can cause it to spontaneously explode remotely with a laptop, mobile phone or supercomputer. There’s no need to fear losing the train, because it can’t practically be done.

Crackers are largely opportunistic. A bit like shoplifters, really. They can’t steal anything from the candy isle, because there are cameras, and almost always people wandering up and down looking for just the right sweets to get their sugar-fix. They’re easy to spot and easy to thwart. They might get away with scoring a pocket-pack of tissues over in the underdefended sanitary-products aisle though. Assuming that they don’t trip the security system on the way out.

Grab some random all-star ‘elite’ cracker type and give him a week to break into the system of your choice, and the odds are he or she just can’t do it. He might be able to find dozens or hundreds of other targets during that time, home PCs, the occasional Web-server that nobody much cares about and so on. Maybe even a higher-profile or more important target… something that might disrupt a corporation’s Web-site for a few hours, or lift an exposed customer list, but if you were the one to name the target, the odds are your man or woman couldn’t get into it.

That’s not to say there isn’t a real threat. Crackers get lucky sometimes. But nobody can predict quite where that luck will strike. You might want to shut down a power-plant or a hydro-electric system. Instead your cracker winds up sending rude-messages to a scoreboard or wiping a Web-server.

If you’re the owner of the scoreboard or the Web-server, you’d be pretty bloody sad.

Worse for the cracker is that the list of potential vulnerabilities of any system are constantly changing. A software update might take away five possible ways into a system, and add five more. The problem is that the would-be intruder doesn’t know which. Plus there are firewalls, monitoring. Monitored and supervised systems are really hard to take over, despite what TV and movies would have you believe.

A great many system and network administrators who are serious about security have never had a system intrusion, and may never have one. A great many lax administrators have gotten lucky. Some administrators aren’t so lucky, and some are downright sloppy.

During various military actions in and around Iraq, all manner of patriotic crackers tried to lend their efforts to disabling key Iraqi systems and infrastructure. Thousands of people laboured at that for weeks, and presumably the US military had a few bods of their own on the job. Cream-of-the-crop stuff. To the best of anyone’s knowledge, the success rate for these massive ‘cyber attacks’ was essentially zero.

The easier option would be a small electromagnetic pulse (EMP) bomb; Solid military tactical munitions that can take out electronic devices and computers over a very wide area. But that’s not ‘cyber’ enough apparently.

The single most effective way to disrupt a computer system is to have someone ‘on the inside’, who can switch off the power, and take a fire-axe to the switchboard. Probably still not ‘cyber’ enough, is it? The threat of that is not going to sell you many books or get your name in the papers.

Proper precautions, careful planning and systems supervision make the odds of a targeted (ahem) ‘cyber-attack’ on those systems infinitesimal, and even if it was successful, the effects would be temporary at best if you’ve done your homework properly, and for all practical purposes impossible to coordinate with any other action.

Now that we’re clear on that, can we get some of these arses off of television and book-signing tours, maybe?

Got a news tip or a press-release? Send it to [email protected].
Read previous post: