What will it profit you to gain [free online scholarship] and lose your very [connectivity]?  Luke 9:25.
Free Online Scholarship (FOS) Newsletter
October 19, 2001
by Peter Suber
Is the internet really vulnerable to massive failure from deliberate attacks?  I admit that this is one scenario about the risk of FOS for which I have no ready answer.  I can say that such attacks are unlikely.  But is this just wishful thinking?  I can say that FOS relies on distributed archives which cannot all be destroyed, even if the connections among them are temporarily severed.  But I don't really know the maximum destructive potential of viruses and worms.  I can say that we shouldn't slacken our efforts to enhance research and education just because these efforts could be undermined by determined wrongdoers.  If that consideration could suspend FOS initiatives, then it could suspend all constructive activity.  But clearly I cannot say that FOS would still be useful if the internet itself were deeply unreliable or largely destroyed.  Worse than useless, a shift to FOS could be dangerous if we let other forms of publication atrophy and then experienced a digital apocalypse.

So far I haven't heard any critic of FOS or lobbyist for commercial publishers call for a pause until the internet can be hardened against attack.  But it's healthy to anticipate the objection and think about how to answer it.  (How could you persuade a clay-tablet culture to make the move to paper at a time when some prognosticators fear arson?)

How reasonable is the fear?  How likely are terrorist attacks on the internet?  How vulnerable is it to attack?  Here are the views of eight people who have studied the problem.  (I cite the sources below.)

Steve Bellovin, security expert for AT&T:  "There is a substantial risk of someone taking out the internet.  That capability absolutely exists."

Bruce Schneier, security and encryption expert now with Counterpane Internet Security:  "The Internet is not as robust as people think.  Among security people, it's well-known --someone could take out enough of the thing so it's all gone, for weeks or months."

Dave Dobrotka, former security system administrator for the U.S. Air Force's Information Warfare Center:  "I've seen reports comparing computer readiness of the Internet to airport security before the terrorist attacks."

Alan Paller, Director of the System Administration, Networking, and Security (SANS) Institute:  "The Internet is simply not ready because of these vulnerabilities; we're not ready to withstand a major attack."

William Wulf, president of the National Academy of Engineering:  "Frankly, I was simply appalled by how very little progress [on network security] had been made in the past 15 years....We have to think about an active defense.  Everything we have done so far has been passive."

Richard Forno, CTO for Shadowlogic and consultant to the Defense Department on information warfare:  "I'm just not impressed with the overall United States government infrastructure assurance effort."

Report from the National Infrastructure Protection Center (NIPC):  "Although the cyber protests seen today have already caused limited damage, the potential for future attacks could bring about large economic losses as well as potentially severe damage to the national infrastructure, affecting global markets as well as public safety."

John Tritak, Director of the U.S. Critical Intrastructure Assurance Office (CIAO):  "Infrastructure owners and operators have always had primary responsibility for protecting their physical assets against unauthorized intruders.  Yet these measures, however effective they might otherwise be, were generally not designed to cope with significant military or terrorist threats."

Keith Epstein, Taking Out the Net  (Bellovin and Schneier quotations)

Howard Wolinsky, Cyber-jihad could be chaotic, even deadly  (Dobrotka quotation)

Patrick Thibodeau, FBI, SANS Institute: Internet 'not ready' for attack  (Paller quotation)

Dan Carnevale, Congress is Urged to Spend More on Research Into Ways to Counter Cyberterrorism  (Wulf quotation)

Michelle Delio, Cyberwar Foundering on Feuds?  (Forno quotation)

Brian Krebs, FBI Warns Of Increased Hacktivism, Cyber Protests  (NIPC quotation)

October 4 Senate testimony of John S. Tritak, Director of the U.S. CIAO  (Tritak quotation)

* Postscript.  On May 22, 1998, Bill Clinton signed Presidential Decision Directive #63, which created the National Infrastructure Protection Center (NIPC) and its Critical Infrastructure Assurance Office (CIAO).  Michelle Delio (cited above) reports that there are now turf wars between Clinton's NIPC and Bush's Homeland Security Office, which interfere with efforts to protect U.S. infrastructure.  Here are some additional links on internet vulnerability and protection.

National Infrastructure Protection Center (NIPC)

NIPC report on the threat to the U.S. information infrastructure (October 2001)

Critical Intrastructure Assurance Office (CIAO)

Clinton Administration white paper behind Presidential Decision Directive 63

George Bush's panel to prevent cyberterrorism

Institute for the Advanced Study of Information Warfare

EPIC's Critical Infrastructure Protection Resources

The SANS Institute, The Twenty Most Critical Internet Security Vulnerabilities, Version 2.100 (October 2)

Vulnerability Notes Database from the CERT Coordination Center

The National Institute of Standards and Technology recently awarded $5 million in grants to improve internet security.
(Just $5 million?)

Infoshop.org's page on Info War, Netwar, Cyberwar
(not up to date)

* PPS.  Would terrorists take down the internet if they need it for communication and organization?  I don't know.  Maybe those who use it are at odds with those who are terrified by post-medieval life, including the Taliban who banned the internet completely from Afghanistan in July (see FOSN for 7/17/01).  But the evidence is that many terrorist groups do use the internet.

* PPPS.  As I go to press, the AP is reporting that President Bush wants to change the Freedom of Information Act (FOIA) so that details about attacks on computer networks need not be made public.  This is intended to encourage the reporting of attacks on private companies, which might lose business if their customers thought them vulnerable.  If the loss of this FOIA information will hinder research into internet security, then this move puts corporate PR ahead of national security and the public interest.


Read this issue online

The Free Online Scholarship Newsletter is supported by a grant from the Open Society Institute.


This is the Free Online Scholarship Newsletter (ISSN 1535-7848).

Please feel free to forward any issue of the newsletter to interested colleagues.  If you are reading a forwarded copy of this issue, you may subscribe by signing up at the FOS home page.


Peter Suber's page of related information, including the newsletter editorial position

Newsletter, archived back issues

Forum, archived postings

Conferences Related to the Open Access Movement

Timeline of the Open Access Movement

Open Access Overview

Open Access News blog

Peter Suber

SOAN is licensed under a Creative Commons Attribution 3.0 United States License.

Return to the Newsletter archive