Shrieking in Cyberspace Relax. Your computer’s fine. We’re only blowing billions on an overhyped terror threat. Winn Schwartau was standing in the shower of his suburban Nashville home one morning 13 years ago when he was visited, he says, by a vision. It was a vision of the future, a vivid and terrifying image of a high-tech apocalypse. He saw terrorists with keyboards, unleashing swarms of computer viruses into cyberspace. He saw gangs of foreign mercenaries hacking computerized banking systems and tipping the Western economic system into chaos. He saw religious fanatics gaining access to electric power grids and triggering mass blackouts. He saw sewage treatment plants overflowing, life support machines sputtering, bridges falling, planes crashing. “I just closed my eyes and this whole movie played out in my mind,” he says. “I counted up all the threat-based capabilities out there and glued them together. They added up to a nightmare.” A former rock-and-roll producer with a bushy black mustache, Schwartau took up computers in the early 80s as a “quaint hobby” and went on to start a successful Virginia computer security company. But after his near-religious experience, Schwartau became a full-time dark prophet of the digital age, joining a growing legion of computer engineers, think tankers, academics, novelists and spies convinced that America was headed for what Schwartau called “an electronic Pearl Harbor.” September 11 instantly recast the threat from a sci-fi pipedream into what the Bush Administration is treating as a grim probability. Today, so-called cyberterrorism is a top priority of the new Homeland Security Department, the focus of a new FBI division and the rallying cry for a booming new cybersecurity industry. Scenarios vary, but this is the basic premise: Evildoers halfway around the world hack into command and control computer networks here that control dams, factories, hospitals, power plants, air traffic control systems -- even amusement parks. To prevent such attacks, the federal government will spend $4.5 billion next year securing government computers, with private industry shelling out $13.6 billion to build up digital defenses. It’s easy to forget one simple fact: Cyberterrorism is imaginary. It has never happened. In the 13 years since Schwartau warned of an impending electronic catastrophe, not one single computer attack has been traced to a terrorist organization. The FBI, which now has some 1,000 dedicated “cyber-investigators,” has never responded to a hack, virus or even a spam e-mail linked to a terrorist. What’s more, cyberterrorism may not even be possible – some computer experts say networked computers simply aren’t capable of triggering the sorts of destruction described by cyberterror buffs. That doesn’t mean terrorists don’t use computers, or that the Internet hasn’t been a boon to thieves, pranksters, disgruntled workers and political activists. But computer crime is not cyberterrorism. And so far anyway, our most dangerous and determined enemies -- al Qaeda or any of the 27 covert groups listed by the federal government as terrorist organizations -- appear only dimly aware of the arcane tricks of computer warfare that inspire such fever dreams in American computer geeks and policy wonks. The scant evidence that the sky is indeed falling – heavy Web traffic from Indonesia, research on electronic switching systems on al Qaeda laptops, rumors of master hackers at Camp X Ray in Cuba – might get pulses racing among fans of Tom Clancy. But it’s hard to come away from any sober reality check without concluding that computers are less weapons of mass destruction than weapons of mass annoyance. While popular scenarios are certainly cinematic – cut to: Matthew Broderick bringing the U.S. to the brink of nuclear war in War Games – the fact is that computers are a lot less connected or all-powerful as we might think. For one thing, most computer systems that control so-called critical infrastructures aren’t even plugged into the Internet. “There seems to be this perception you can log on to America Online, and if you know the right passwords, hack into the national power grid,” says Douglas Thomas, a USC professor and author of two books on hacking and the policing of cyberspace. “People don’t seem to realize that these aren’t publicly accessible systems. Why would they be? Most sensitive military and government networks are completely shielded. A terrorist would have to be a ranking official in the military to get access to these networks – and if that’s happening, we’ve got way bigger problems than computer security to worry about.” More importantly, most critical computer systems are vast labyrinths of code that can’t be navigated with the help of store-bought manuals. As one former hacker recruited by Cisco Systems as a security architect confided, “I’ve worked here two years and if someone came along and asked me where the source code is for the operating system, I’d have no idea.” But perhaps the main reason why cyberterrorism has remained more fiction than fact is that we Americans know more – and care more – about computers than any of our enemies. While most Westerners have trouble even remembering a time before e-mail, ATMs or cell phones, technology figures a lot less prominently in the lives of, say, the average Islamic fundamentalist. And so far anyway, low-tech tools like bombs, bullets and box cutters have proven to be highly effective instruments for whipping up terror. What’s really going on then, suggests author Robert Young Pelton, is the latest outbreak of the techno-jitters that brought us Y2K hysteria -- this time charged with the lingering shock of Sept. 11. With a surplus of fear and a shortage of anything we can actually see, we’ve fused two of the most mysterious and incomprehensible forces of the modern age: technology and terrorism. It’s the Red Scare of the information age, complete with invisible enemies, doomsdays and massive government contracts. “The whole idea plays to our deepest fears,” says Pelton, whose unauthorized trips into combat zones led to the first interview with the famed “American Taliban,” John Walker Lindh. “Terrorists just don’t have the same mindset. What you’re really looking at is a big fat government trying to reshape the enemy in its own form.” ••• To hear Senator John Edwards tell it, cyberterrorism is a national emergency that should stir the resolve of every American. “We live in a world where a terrorist can do as much damage with a keyboard and a modem as with a gun or a bomb,” the North Carolina Democrat declared in January. Just a month earlier, Congress targeted cyberterrorists as part of the U.S.A. Patriot Act, giving police sweeping new surveillance powers and stiffening sentences for those convicted of computer crime. It’s unlikely that any of these tough new laws will make a whit of difference in the fight against terrorism. Where they’ve already come into play is in the prosecution of teenage hackers who’ve expressed half-baked political motives, or in efforts to curtail online fraud, extortion, corporate espionage and other economic crimes, which cost U.S. industry upward of $15 billion in 2001 alone. Leading the government’s counter-offensive is Richard E. Clarke, the nation’s first cybersecurity czar. A former national security advisor who has worked for every president since Reagan, Clarke is bald, jowly and authoritative, a towering presence among the nerdy code jockeys and slick consultants who make up much of the info-war camp. Since his appointment, he’s criss-crossed the country spreading the gospel of digital vigilance, rallying crowds of IT worker bees with hawkish quotes from Churchill and dire warnings that our enemies are poised to “attack us not with missiles and bombs but with bits and bytes.” Lounging in a hotel lobby during a recent stop in Portland, Clarke is quick to acknowledge that neither he nor anyone in the 13 agencies and offices of the U.S. intelligence community has any evidence that terrorists are now using computers as weapons. “We haven’t seen an attack by a terrorist group meant to hack its way into a Web site or otherwise do damage,” he says. “We haven’t seen the Palestinians turn off the electricity in Haifa. We haven’t yet seen a terrorist group drop the electric power grid, crash a communications network or disrupt a banking system.” But just because they haven’t yet doesn’t mean they won’t. Clarke doesn’t discount any of the cyberterror possibilities, quickly ticking off a few that he finds the most plausible: an attack on the military networks that control troop deployment, or a hack of the computer routers that control the Internet itself. In another favorite plot, a mysterious outbreak of anthrax is followed by a computer attack on the Centers for Disease Control and Prevention in Atlanta, slowing down response teams and multiplying the body count. Of course no one, not even the Patton-like Clarke, can say for certain whether such events will ever come to pass, or how to measure their probability against other post-Sept. 11 threats, from truck bombs on the Bay Bridge to anthrax-filled crop dusters over Manhattan. The only real evidence that terrorists are even aware of the destructive capabilities of computers emerged this summer, with a report in The Washington Post that al Qaeda laptops seized in Afghanistan contained research about digital devices that allow remote computers to do things like throw railway switches and adjust the flow of oil and water. Clarke admits the public evidence is limited but claims that classified intelligence indicates that terrorists are poised to strike. Clarke is meanwhile rallying a whole new wing of government to fight back. On that early summer evening in Portland, Clarke retreated to his hotel suite, switched on CNN and watched his boss announce to the nation plans to create a permanent White House Department of Homeland Security. Among the new department’s responsibilities is the protection of cyberspace, adding some 150,000 federal agents and an annual budget of $37 billion to the potential war chest. His nose buried in a stack of reports on the new bureaucracy, Clarke couldn’t conceal a grin. “This is big,” he said. “Very, very big.” ••• While cyberterror is certainly scary, a close look at the cases cited as proof of the threat is much less sensational. Typical was a December 2001 news item that many pronounced to be the long predicted first shot of the info-war. According to an Indian newspaper report, Islamic militants had gone undercover at Microsoft and planted a so-called Trojan horse virus in the new Windows XP operating system. Fortunately, the whole story was bogus. “It was a bizarre allegation that had no basis in fact,” says Microsoft spokesman Jim Desler. Still, the tale demonstrates a crucial point in the hype over cyberterrorism. Can anyone seriously count a computer virus that crashes a hard drive in the same category as a radiological bomb that craters a city? The important difference, of course, is violence. Terrorism simply isn’t such a big deal without explosions, dismemberment or death. And notwithstanding the killer cyborgs in Terminator or the merciless HAL in 2001, computers don’t have much talent for killing people. Most authorities – including the government’s National Infrastructure Protection Center – make this distinction, defining a cyberterrorist attack as a politically motivated, computer assault on civilians that causes physical harm. This is bad news for cyberterror buffs, because it eliminates from discussion 99 percent of the cases cited as proof that cyberterrorism is a clear and present danger. There’s simply not much blood and guts in the hacker users manual. There are, however, a multitude of methods for screwing up another computer, slowing down a Web site or stealing private files. After the standoff between China and U.S. over a downed spy plane two years ago, the home pages of the White House, the Air Force and another 1,200 American Web sites were hacked, many tagged with political slogans. Such Web defacements have become routine in Israel, where pro-Palestinian hackers have declared a “cyber jihad” and Israelis have organized a “cyber militia” whose handiwork includes the sudden appearance of porn on the homepage of those fun-loving hedonists, Hamas. More damaging are so-called denial of service attacks, previously employed to clog NATO servers following the U.S. bombing of Serbia. John Arquilla, a leading Pentagon theorist and professor of public policy at Pepperdine, sounds like he’s analyzing an invasion of undead flesh eaters and mighty warriors when he describes “master hackers” and their power to amass enormous arsenals of zombies.” But USC’s Thomas wonders whether terrorists get so worked up over what is essentially a nasty trick for freezing Web sites and disrupting e-mail. “I just can’t imagine some lieutenant going back to Osama bin Laden and saying ‘We’ve struck terror in people’s hearts – Yahoo! was inaccessible for over an hour,’” he says. By far the most damaging form of computer attack is the total takeover, in which a hacker hops over firewalls, puzzles out passwords and gains complete control of a system. It’s called “breaking root,” and it’s the brass ring of hacking. Break root, the theory goes, and you can do anything a computer can: fluctuate the value of the U.S. dollar, stop traffic in midtown Manhattan or redirect all 911-calls to a single pizza parlor. Breaking root is the basis of all the scarier cyberterror stories, from the global meltdown of Tom Clancy’s Net Force series to the recent FBI reports that al Qaeda hackers may be learning about the digital devices commonly used in American network systems. While total takeover sounds alarming, computer experts say it’s really not such a catastrophic event. In fact, it happens all the time. The CERT Coordination Center, a government-supported computer emergency response team at Carnegie Mellon University, logged some 52,658 security breaches and attacks in 2001. Experts say between a quarter and a half of those involved a hacker gaining total control of a system. Do the math and you find that in one year, hackers went for more than 13,150 joy rides – and those are just the ones that freaked out their owners enough to call in government computer cops. “It’s one thing hacking in – it’s another thing entirely operating one of these systems,” says Erik Ginorio, a former hacker and FBI informant from San Francisco who now works in private security. “To do real damage or make a system do something the owner doesn’t want done, you need real experience on high-end stuff. You need equipment and tons and tons of knowledge about the systems we’re running. And there’s just not that much of that high-end equipment floating around out there.” ••• Cyberterrorism may be hypothetical, but there’s nothing hypothetical about the billions of dollars flooding into the cybersecurity industry. In fact, cyberterrorism may be the best thing to happen to the tech sector since Y2K hysteria -- except this boom has no built-in expiration date. According to Forrester Research, U.S. businesses spent $5.7 billion protecting computer data the year before the attacks on the World Trade Center. Next year they’ll shell out an estimated $13.6 billion, with projections climbing every year through 2006. EDS, the tech giant founded by Ross Perot, is currently building what is billed as an “unhackable” private Internet for the Navy and Marine Corps at a cost of more than $6 billion. Meanwhile sales of antivirus, intrusion detection and other security software have skyrocketed, and computer geeks are recasting themselves as Chief Security Officers, a new executive level post that that can fetch salaries of $400,000. Even the CIA is hitching a car to the money train, establishing a venture capital firm called In-Q-Tell (named after the James Bond sidekick) to partner with companies developing, among other things, anti-cyberterror technology. Lower down the food chain are the thousands of consultants, analysts and educators who make their living warning of the dangers lurking inside our laptops. “I caught the wave,” says Matt Devoe, a computer engineer from Washington DC who got into the business at the tender age of 21 after writing his thesis on info-war. He hit the speaking circuit before graduating, got a consulting gig with the Department of Defense and now runs a “multimillion dollar research analysis company” called Technical Defense Incorporated. “It was just starting when I got started and it’s grown ever since.” Devoe can provoke jitters in the most hardened CEO describing his experiences as a “white hat” hacker hired to attack computer networks. He’s hacked public utilities, air traffic control systems and such corporations as Microsoft and Citygroup and he says he routinely finds himself in a position where he could steal vast stores of money or trade secrets or make his presence known to millions of innocent bystanders. Other experts doubt it’s quite so simple. “If they could’ve, they would’ve,” says George Friedman, a former Pentagon advisor who now runs an Austin-based private intelligence company called Stratfor. Friedman says the legions of cyberterror “experts” are little more than storytellers. “They love technical head games, but ask them to point at really successful attacks on critical infrastructures and they’re at a loss,” he says. It’s true that there’s nothing cyberterror buffs enjoy more than pointing out vulnerabilities and bragging about how they could exploit them. Howard Schmidt, former security chief at Microsoft and now the deputy chairman of the President's Critical Infrastructure Protection Board, was reminded of this professional pride this summer, when he told an assembly of computer engineers that in all his years in the field, he himself had never been a victim of computer crime. “Is that a challenge?” hollered a consultant in the crowd. “We have the technology.” The room erupted. And the laughter wasn’t just at the expense of an easy target like Schmidt. It hit on an obvious but rarely-spoken truth: that most of us will never encounter even a petty thief online, but that the creators of the most devilish cyberterror scenarios are right here among us, designing software, writing techno-thrillers, and setting government policy. And they’re scaring us silly. “We’re all sitting around looking in the mirror, asking if someone was just like us, how would he take advantage of our weaknesses?” says Fred Freer, a retired CIA analyst and specialist in the Middle East. “Of course they’re not just like us. We’ve got to get out of this crazy reactive mode and stop trying to scare ourselves. We’re all chasing our tails and looking more and more foolish.”