Lake isn't the only policy wonk warning us of our own vulnerability. On March 22, National Security Advisor Condoleezza Rice and Richard Clarke, who heads U.S. counter-terrorism efforts, issued a warning against computer attacks that could disrupt vital services in the United States. "It is a paradox of our times," said Rice, "that the very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."

But vulnerable to what? If the alarmists are right, we have some terrifying scenarios ahead of us: large-scale attacks on critical infrastructure such as the food supply, emergency services, government agencies, power grids, communication systems, air traffic control and financial systems. Lake, whose chapter "e-Terror, e-Crime" is a veritable case study in cyber-attack alarmism, worries that cyber-attackers could crash planes; tamper with food or medicines to poison populations; or disrupt the economy by shutting down electrical and communication systems. "The genie is well outside the bottle," he claims, now that attackers have jammed 911 lines in Miami, overwhelmed the e-mail system at an Air Force base and infiltrated an unclassified Pentagon computer.

To an extent, their fears are legitimate. In the last 20 years, the number of people with computer skills has grown dramatically; there are thousands of computer viruses and hundreds of millions of potential targets. An Associated Press story on Rice's announcement cited $400 million in financial losses due to computer attacks over the last year. But just because there are plenty of cyber-savvy individuals out there doesn't mean that the attacks we're likely to face are going to be as damaging as Lake and others fear. And no one among them is offering a careful analysis of what the threat may be and where it will come from.

	Print story E-mail story

Part of the problem is that Lake and other alarmists don't distinguish between the resources it takes to cause an expensive nuisance -- like last year's denial-of-service attacks on Yahoo and eBay -- and the skills, time and access one needs to create a devastating attack, like crashing an airplane. In "Six Nightmares," Lake doesn't consider the checks that protect infrastructure from such threats. He also fails to ask an obvious question: If there are so many malicious hackers at work (19 million, by Lake's count), why have their attacks been, by and large, fairly innocuous?

"Certainly the large majority of attacks demonstrate no more than script-kiddie skill level," says Tim Shimeall, a senior member of the technical staff with the CERT Analysis Center, a center for Internet security at Carnegie Mellon University.

Script kiddies, or unskilled criminal programmers, perform simple exploits against underprotected systems using software tools and instructions created by skilled programmers. They take a tool and run it against multiple targets, hoping to hit one of them. These tools can crack passwords, steal files, install malicious software in a target or cause a denial-of-service attack, but are unlikely to cause large-scale damage. "Script kiddies are getting their clickers on more sophisticated tools, but they have little ability to do more than launch them," says John Arquilla, associate professor of information technology at the Naval Postgraduate School in Monterey, Calif.

Tools like these don't automate large-scale attacks on critical infrastructure as much as reproduce attacks that more proficient troublemakers have carried out in the past. And so what expert cyber-terrorists don't do routinely -- widespread attacks on the electrical grid, for instance -- just isn't an option for the vast majority of maliciously minded delinquents.

The Free Software Project
Read Andrew Leonard's book-in-progress on Linux and open source -- and post your comments.