Monday 23 Jul 2018 | 12:27 | SYDNEY
Monday 23 Jul 2018 | 12:27 | SYDNEY

Government acts on cyber-terrorism, but will it help?


Sam Roggeveen


14 April 2008 11:47

Media reaction to news that the Government is considering laws to monitor email traffic has focused on privacy. That's entirely legitimate, but there should also be concern about how useful it is for any Government to have these powers.

It is reassuring to hear the Attorney-General express concern about the threat of cyber-terrorism. He's right that an electronic attack on our financial system or infrastructure could be far more damaging than a physical attack. This story demonstrates how easy it is:

Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines, giving the team the ability to hack into the control network overseeing power production and distribution.

Winkler says he and his team were hired by the power company, which he would not name, to test the security of its network and the power grid it oversees. He would not say when the test was done, but referred to the timeframe as "now." The company called off the test after the team took over the machines. "We had to shut down within hours," Winkler says, "because it was working too well. We more than proved that they were royally screwed."

Some argue that Islamist terrorists are not attracted to this kind of action because it lacks the drama of suicide terrorism and mass death. That could be right, but it's not something we ought to be relying on. So it is encouraging to see Government recognition of such vulnerabilities, but is giving ASIO and other security agencies* more powers the way to deal with the threat? It seems like a rather predictable top-down response. It's hard to see how any bureaucracy can keep up with the nimbleness of electronic attackers, and the sheer variety of ways such attacks can be staged. Aren't we better off making our systems more survivable and redundant rather than trying to protect them?

* UPDATE: I blogged in haste — the plan is to give these powers to companies running critical infrastructure, not directly to government agencies. That seems a more sensible approach, though I maintain my concerns about the emphasis on prevention, which I think is a losing proposition. We ought to be doing far more about resiliency.