[funsec] US 'unprepared for cyber 9/11'

Tomas L. Byrnes tomb at byrneit.net
Sun Dec 21 12:37:27 CST 2008

Prior to 9/11 Tom Clancy posited using airplanes as Cruise missiles in
the opening scenes of "Executive Orders". He's been pretty prescient in
his description of our vulnerabilities, so maybe reading some of his
"Net Force" books might be useful to those dreaming up defense and
contingency plans.

>-----Original Message-----
>From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org]
>On Behalf Of Jon Kibler
>Sent: Sunday, December 21, 2008 9:35 AM
>To: John C. A. Bambenek, GCIH, CISSP
>Cc: funsec at linuxbox.org
>Subject: Re: [funsec] US 'unprepared for cyber 9/11'
>Hash: SHA1
>John C. A. Bambenek, GCIH, CISSP wrote:
>> Tell me exactly how any scenario of a "cyber 9-11" would entail
>> anything on the scale of a loss of 3,000 lives. Hyperbole does not
>> serve our industry well.
>I can think of several scenarios where lives could be lost from an
>intentional attack against critical infrastructure under computer
>control. Here are a few examples:
>   1) There have already been deaths (from too much X-ray exposure) due
>to software bugs. An intentional attack against medical devices could
>kill people.
>   2) The DoE has already demonstrated that an attack against SCADA
>systems can damage power generation infrastructure beyond quick repair.
>A widespread attack against the generation systems could disrupt power
>for weeks to months on end. If that occurred in conjunction with a
>winter storm, people could easily freeze to death or die of CO
>poisoning, like has already happened in relatively minor power outages
>in mid-winter in the U.S northeast and midwest.
>   3) Remember Bophal, India? That was an accidental wrong positioning
>of a value on a chemical tank that lead to a chemical spill that killed
>or injured thousands. Today, much of this type of chemical plant
>infrastructure is under computer control. An intentional attack could
>easily result in a chemical spill that could injure or kill thousands.
>For example, just look at the number of chemical plants directly across
>the river from NYC in Jersey. Each one of those is a ticking time bomb.
>These are just a few ways that 'computers can kill.' I could go on for
>pages with other hypothetical scenarios that you would probably dismiss
>as "would never happen." But, prior to 9/11, what you have said if
>someone told you that it was likely that terrorists would hijack air
>planes and crash them into major buildings, killing thousands? I am
>that you would have also dismissed that as "would never happen," too.
>Jon K
>- --
>Jon R. Kibler
>Chief Technical Officer
>Advanced Systems Engineering Technology, Inc.
>Charleston, SC  USA
>o: 843-849-8214
>c: 843-224-2494
>s: 843-564-4224
>My PGP Fingerprint is:
>BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>Version: GnuPG v1.4.8 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>Filtered by: TRUSTEM.COM's Email Filtering Service
>http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.

More information about the funsec mailing list