July 14, 2009 1:16PM

“Cyberattack” in Perspective

By Jim Harper

Two very welcome articles skewer breathless reporting and commentary on the recent cyberattack against U.S. government Web sites, among other things.

In a "Costs of War" column entitled "Chasing Cyberghosts," intrepid reporter Shaun Waterman turns up the excesses that blew the story out of proportion and easily enticed congressional leaders to overreact.

[M]edia coverage of the attacks almost universally attributed them to North Korea, initially on the basis of anonymous sources in the South Korean intelligence services.

"There’s not a shred of technical evidence it was North Korea," said [Internet Storm Center director Marcus] Sachs. . . . [M]any lawmakers, apparently anxious to polish their hawkish credentials, were swift, as Sachs put it, "to pound their fists and demand retaliation."

The North Koreans "need to be sent a strong message, whether it is a counterattack on cyber, [or] whether it is more international sanctions," said Republican Rep Peter Hoekstra, a ranking member of the House Intelligence Committee. "The only thing they will understand is some kind of show of force and strength."

Security guru Bruce Schneier puts it all in perspective:

This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to.

Securing our networks doesn't require some secret advanced NSA technology. It's the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again.

I testified on cybersecurity in the House Science Committee late last month. This episode was a perfect illustration of one of my points to the committee: "Threat exaggeration has become boilerplate in the cybersecurity area."

Waterman's and Schneier's pieces are shorter and eminently more readable so I'll give them a "read-the-whole-thing." All three of us participated in the Cato's January conference on counterterrorism strategy.