• United States




9/11: My story

Sep 09, 20163 mins
CybercrimeGovernmentIT Skills

How the information security community can support law enforcement in preventing another large scale attack.

On Sept. 11, 2001, at 6:45 am, AA flight #1017 lifted off LaGuardia runway #4 on its way to Minneapolis. As it made a lazy right turn over Manhattan and past the twin towers, I remarked to myself how crystal clear the sky was. Having lived in NYC for 25 years, I remembered many peaceful fall mornings like that. Our flight was completely uneventful until we reached MSP airport where chaos was in the air and on the monitors. People were hoping that a small plane had hit the North Tower, but I knew it was a terrorist attack. On such a clear day I knew that no pilot could make that mistake. I didn’t know it would take me a week to get back home.

It feels like a lifetime has passed since 9/11, although it has been only 15 years. We lost friends and neighbors. A pall hung over the city for months and I was hesitant to revisit the place where I had worked as an information security consultant and trainer only a few years earlier. Recently, visiting the new Freedom Tower gave me hope and thanks in our ability to bring out the good in people.

I am also grateful to the FBI, Secret Service and other law enforcement teams that have prevented another similar attack. Supported by the information security community, I believe that they have made great progress in stopping similar attacks. I am noticing more prosecutions for “low level” cybercrimes, like the recent arrest of two men for hacking email accounts of government officials. This is how NYC itself cleaned up in the 1980s…through the “broken windows” program of prosecuting low level street crimes. With all the warts in the CFAA, we need to continue to enforce it against similar types of cybercrimes.

[ MORE 9/11 REMEMBRANCES More than lost buildings ]

The government’s response to 9/11 was to create DHS, now a behemoth of 240,000 employees. Normally, in business, the response to an agile enemy is to create an agile defense. Not so with DHS. On the other hand it is amazing that the number of FBI special agents has increased from 14,000+ to only 19,000 over 2001-2014. Who thinks the cybercrime and terrorist threat increased by only 30% since 2001?  

My conclusion is that our private security community needs to be an active part in preventing terrorism. There will be no government deflector shield. It means being an active member of InfraGard and supporting initiatives like the 2015 Cyber Intelligence Sharing and Protection Act.

The foremost job of security professionals is to help educate the public about good security practices. We know that people are the root cause of many security breaches and that collective bad practices will put our collective government and critical infrastructure at risk. We are reminded of this in the headlines about hacking the 2016 election.

I believe it is also the responsibility of security professionals to support reasonable requests of law enforcement engaged with protecting citizens from crime or terrorist attacks. This covers both incident response and proactive investigations. Questions of privacy are too often cast in black and white terms, with a one size fits all solution. I do have an EFF sticker on my laptop. But have we been too quick to forget that Zacarias Moussaoui was captured in Minnesota a full month before 9/11? The FBI was not able to get a warrant to search his laptop. We need continued, open discussion of privacy and security issues as both the threats and technology change.

Remember Thomas Jefferson: “Eternal vigilance is the price of liberty”.


Dr. Frederick Scholl is a thought leader in information security. His professional experience includes semiconductor researcher and engineer, start-up cofounder, and academic professor and leader.

He has both security practitioner experience and credentials as an educator. He consults on security governance, risk management and compliance issues.

Dr. Scholl started and leads Quinnipiac’s MS Cybersecurity program. This online degree program is focused on career changers who have a strong business and IT background, but little or no cybersecurity experience. The program emphasizes software security, cloud security, risk management and resilient systems.

The opinions expressed in this blog are those of Frederick Scholl and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.