Technology and Society

Book Reviews
Home
What's New
Privacy & Individual Rights
Commerce, Security, & the Law
Net Culture, Art, & Literature
International Affairs & National Security
Ethics, Rhetoric, & Metaphysics
Science Fiction

Other Resources
News
Publishers
Other Book Review Sites
Letters
Contact
Copyright

Title: Black Ice: The Invisible Threat of Cyber-Terrorism
Author: Dan Verton
Publisher: McGrawHill/Osborne
Copyright: 2003
ISBN: 0-07-222787-7
Pages: 273
Price: $25.00
Rating: 60%

Author Dan Verton seems to have the credentials to write a book about cyber-terrorism. A journalist with Computerworld magazine, a former intelligence officer in the Marines, and a writer who has traveled around the world, he should be able to put the threat of cyber-terrorism into its proper perspective. 

Unfortunately, he begins this book with the kind of fear-mongering that computer security vendors regularly propagate. In chapter 1, he presents a fictional scenario, Dark Winter, which involves a carefully planned terrorist attack with debilitating repercussions. He points out how the US government would be overwhelmed by the attack, unable to react quickly enough to stave off its massive effects. He suggests that power outages would "last for weeks, in some areas, for months". That "businesses, banks, government offices, industrial plants, and manufacturing firms [would be] also starved of connectivity. Some [would] be forced to close their doors for good." 

If a cyber-terrorist attack of this magnitude were to occur, it is unlikely that the US government would be at the front lines. The Pentagon would be worry about procurement problems, and paying outrageous sums for toilet seats yet again. But power outages would certainly not last for months, and businesses would not be forced to close their doors... The community of thousands, even millions of Internet users and programmers would certainly mobilize to stave off the attack and limit the damage. Attacking major name servers, as Verton suggests, certainly would cause short-term problems, but not the type of long-term damage he claims. 

In addition, if such an attack did occur, there is one easy way to limit its effects: just turn off sensitive computers. Verton is one of these people who couldn't live for an hour without his computer, and doesn't seem to envisage such a solution. But as we saw after 9/11, even the New York Stock Exchange closed for a week without disrupting the world's economy. Sure, turning off the world for a week would be costly, but much less so than suffering the damage any cyber-attack would inflict. It's hard to believe that society would become Planet of the Apes if people couldn't use their cell phones or ATMs for a week. 

Look at the massive power outages that struck the northeastern parts of the US and Canada in 2003, or the similar outage that cut off power to the entire country of Italy in the summer of the same year. These outages led to minor problems, which lasted 24 to 48 hours, not weeks or months. Sure, if the power grid were seriously damaged - and one can argue that this is much more sensitive than the Internet - problems might last longer, but the power grid is nothing more than connected wires, and doesn't call for rocket science to repair. People won't die if they have to use candles for a couple of days. 

More serious is the problem that, as Venton points out, "the private companies that own and operate the bulk of the nation's most critical infrastructure system continue to balk at sharing with the government the lion's share of information about cyber-vulnerabilities and security incidents." But if the current administration is able to so easily trample on the fundamental liberties of individuals, it doesn't seem difficult for them to require cooperation in this area. Trusting such security to private companies - which goes along with the current administration's desire for less government - can be risky, since "the free market is driven by the bottom line, not security." 

This book is full of questionable statements and ludicrous conclusions. Venton states that "the violent destruction of a physical plant, particularly one that relies on computers and networks for its day-to-day operations, can and does have cyber-ramifications." Get real! You unplug one factory from the network, and, at best, its suppliers are annoyed and its banks are irked. Other than power plants - and Venton is not talking about such facilities - I see no way that a single plant or factory's being off-line would affect more than a handful of people.  

Venton discusses the devastating effects of computer viruses and worms, using the Nimda worm as an example. But nowhere in this book - or in most others on computer security - does the author discuss that the main responsibility for such an attack is Microsoft's shoddy security record in all versions of Windows, the only operating system generally affected by such viruses. The first thing to do to improve overall security is to address the ubiquity and inherent danger of entrusting so many essential systems to such a shoddy and insecure operating system. 

Cyber-terrorism is a real threat, but this book takes too spectacular an approach; could this be in part to incite readers to purchase other books, such as the Hacking Exposed series, sold by the same publisher and featured in a full-page advertisement at the end of the book? Or simply because this kind of hype sells books? A more balanced approach, with a more realistic analysis of the real repercussions of such attacks, would be infinitely more useful. This book reads too much like a Tom Clancy novel, and not enough like a true analysis of an important issue.

Kirk McElhearn  

Kirk McElhearn (kirk@mcelhearn.com) is a freelance writer and translator living in a village in the French Alps. You can find out all about him at his web site, http://www.mcelhearn.com.