In the latter part of February, as I was gathering internet intelligence from one of the many sources I routinely monitor, an odd message appeared.
The message alerted the list about an upcoming virtual march on Washington, D.C. and further identified a web site and what appeared to be a press release. The press release stated that on February 26, 2003, an anti-war assault would be launched against the U.S. Senate comprised of emails, faxes and telephone calls. After reviewing the web site identified in the internet posting for legitimacy, I frantically pecked out a message about this "incident in the making" and fired it off to my own crisis distribution list. Being paid to be paranoid, I had nightmarish visions of widespread phone outages and general telecommunications slowdowns as the result of the virtual march.
Having been the first information security manager at the U.S. House of Representatives, my thoughts immediately went to what this cyber-based assault would mean to the hard-working men and women who administer and secure Congressional systems. I arrived in D.C. shortly after the 1995 government shut-down over budget battles had occurred. Even at that time, email was still making the transition from novelty to necessity, at least for home users. But nonetheless, the mainframe-based email system was brought to its knees and the clean-up of the massive numbers of email messages went on for months afterwards.
On Friday, February 28, CNN posted an article entitled, "Activists hold 'virtual march' on Washington." It had been organized by WIN WITHOUT WAR, a coalition of 32 organizations. Claims were made that some 400,000 protesters signed up to call Senate and White House offices with a clear and direct message: "Don't invade Iraq, we can contain Saddam Hussein without killing innocent people, diverting us from the war on terrorism and putting us all at risk." CNN went on to report that over one million telephone calls and faxes were made and, at one point, the Capitol's phone system was 'jammed' so that communication to Democratic and Republican Senate offices was impossible.
For the rest of the Washington, D.C. metropolitan area, there was no noticeable internet slowdown or reports of telephone outages due to the 'virtual march.' While I support freedom of speech, I have real concerns with this type of protest methodology. The February 26 event was well-organized and led by Tom Andrews, a former Democratic Congressman from Maine. Actors James Cromwell and Martin Sheen appeared in television ads to solicit participation in the virtual march, while 'plug-and-say' protesters could access a web site and pledge their voices.
We got away easy on this one. Obviously, telephone circuits will clear and fax machines will run out of paper. And curiously enough, there was no mention of the numbers of emails delivered to the Senate. I have a suspicion that some action was taken to divert the expected onslaught of email messages from crashing systems. I have real fears - maybe not the next cyberprotest, and not the one after that, but at some point a catastrophe will happen. Had the virtual march expanded beyond the Senate to the House of Representatives and the other countless numbers of government agencies in the D.C. metro area, the outcome could have been a lot different.
In this expanded scenario, imagine communication circuits and systems fail due to overload with the increased burden of traffic. The internet slows to a crawl as failover systems and capabilities quickly become overtaxed and critical services dependent upon communications are hampered. The 911 call requesting assistance for an elderly heart patient cannot get through. Likewise, the call for fire assistance is delayed as the circuits hum with the traffic of protest.
I have yet to hear any negative concerns or outcry from the government regarding virtual-march-turned denial-of-service (DoS) attack. I believe that the WIN WITHOUT WAR folks are sincere and meant no harm. But in their quest to make their voices heard, their actions could have had dire consequences. While the motivation was different for the 'virtual march,' the outcome against the Senate was the same as any old garden-variety DoS-type attack. Is it acceptable to perform this type of malicious activity in the name of 'freedom of speech?' While this attack was launched against the U.S. Senate, the method could be used anywhere in the world against any country, government or business.
Physical protests are localized and the participants are visible. A similar argument can be made with regard to physical protesters blocking streets that may inhibit ambulances and fire trucks. But the 'virtual march' is somewhat anonymous and the debilitating effects may not be apparent until too late.
I am reluctant to make this prediction, but what would prevent miscreants from piggy-backing on the next 'virtual march' as a vector to wreak systemic mayhem? Seemingly well-intentioned cyberprotests can potentially have fatal ramifications. While our systems are redundant, they are not fail proof. Who would have ever considered that Bank of America would lose service of 13,000 ATMs in the wake of the SQL Slammer worm?
Ron Baklarz CISSP, CISM, GSEC, is the chief information security officer for a large non-profit organization headquartered in Washington D.C.