Tuesday, October 10, 2006

WIRED BUT NO SMARTY-PANTS: I was scared by a cyberterror simulation, says journalist

Momentary horse-laugh of the day goes to Chris Suellentrop, an editor at Slate, writing about becoming a convert to the decrepit church of cyberterror in "Sim City: Terrortown:"
AS SOMEONE WHO FANCIES HIMSELF a smarty-pants Washington writer, I had been convinced by the smarty-pants Washington elite that the threat of cyberterrorism – terror attacks carried out online instead of, you know, with bombs – is a hoax. I even commissioned and edited an article that said as much for Slate, the online magazine for the smarty-pants set. The theory goes something like this: Technology companies, desperate for profit after the dotcom bust, concocted the idea of cyberterrorism in the wake of September 11 to gobble money from the federal homeland security trough. But we all know that nobody's life is in peril if Osama bin Laden orchestrates a multifront attack on Orbitz, CheapTickets, and Expedia.com.

No surprise, Suellentrop is not such a smarty-pants. In defining cyberterror, he misses the boat by a good many years.

It's a little surprising, because WIRED actually covered the beat on-line much of the time prior to 9/11.

In any case, Suellentrop credits cyberterror mania to "technology companies" post 9/11.

In fact, the town-criers on the cyberterror danger were government officials, the most famous of whom was Richard Clarke, who earned this column, "Legacy of Miscalculation."

Reprinted everywhere that was Republican red, it led to a cover story at the NYC altie-newsweekly, The Village Voice. [Summarized: Dems thought Clarke's after-the-fact 9/11 tell-all would turn the election over to John Kerry. I predicted the opposite -- because Clarke was a weak savior -- for the cover of a hardcore "lefty" news pub, The Village Voice, where I'd been called a "commie puke," among other things.]

Ahem -- so anyway, for better or for worse, DD knows the story of cyberterror.

And companies jumped on that bandwagon years after the American government had flogged it into the ground. In the wake of 9/11, when it looked like the feds were going to throw money at everyone who could cry "terror" even feebly, many tried for some of the gravy. There is little indication in 2006 they reaped a bonanza for their efforts.

And another long-time critic of cyberterror was Rob Rosenberger, an old colleague from VMyths. He wrote an entertaining audiobook about Clarke's tenure as US Czar against Cyberterror.

What Suellentrop also obviously doesn't know was that the meme of cyberterror had a very rich history, dating from the time it went under the phrase, "electronic Pearl Harbor," or EPH.

Punch it into Google like this and three of the first four entries belong to me.

And as GlobalSecurity.Org official expert, the CATO Institute actually flew me into DC from Pasadena in 2003 to be the Devil's advocate in a seminar on cyberterror, although by that time serious national-level debate on the subject was pretty much over.

But the most comprehensive sampling of quotecant on "electronic Pearl Harbor," or cyberterror -- if you will, comes from the homepage of the Crypt Newsletter, an on-line publication I edited off servers at Northern Illinois University, during the Nineties. It's here and I stopped adding to it around the turn of the Millenium when the cyberterror burble became deadeningly shopworn.

Notice -- this was all well before 9/11.

Crypt Newsletter had been on-line since 1993 or '94 and I stopped maintaining it about five years ago. It will go off-line sometime in 2007 when the criminology prof who maintains the computers at soci.niu.edu goes into semi-retirement. He was editor of the well-known Computer underground Digest aka CuD.

Some quotes from 2000 and earlier, on cyberterror, from the archive:

". . . Y2K will illustrate what a attack could do . . . Anybody who says after January 1, 2000 that this [threat of cyber attack] is all just made up I think is an idiot."

--- James Adams, author of the book "The Next World War" and head of iDefense, a company that provides intelligence on cyberterror, appearing in USC's Networker magazine, 1998-99.

Adams' business was launched for the sake of defending the nation against cyberterror. The business went into bankruptcy in the following years and Adams was ejected from its leadership.

Or how about this one from November 4, 1999:

``We expect that (terrorists) will attempt to use Y2K as a cover for putting some kind of attack into a vulnerable place . . . That is, when a Y2K solution goes in, they will fly underneath that with an attack of their own that will shut the system down . . . " said Utah Republican Senator Bob Bennett at a National Press Club event.

This comes from 1999, too:

Then a National Infrastructure Protection Center analyst was deployed to furnish another hypothetical -- emphasis on "hype" -- scenario for which no evidence is provided: Osama bin Laden could instigate a computerized equivalent of the World Trade Center bombing. [That's the first WTC bombing.]

"Alan B. Carroll, an FBI agent . . . urged those at the conference to imagine a computer or communications version of the World Trade Center bombing - a disaster that brings down, say, computer or telephone networks on which society depends . . . 'Referring to the alleged terrorist Osama bin Laden . . . Carroll said that 'given the resources of this man, you can imagine the kind of damage he could do.'"

The NIPC no long really exists. It would up being broken into pieces, part of it going to the Dept. of Homeland Security, part to the FBI.

And this from 1999, from the Washington Times column edited by Bill Gertz. One author is produced, flogging a book on cyberterror and the People's Liberation Army:

"William Triplett, co-author of a new book on the PLA," said: "All of this offensive-warfare talk, when China is not threatened by anyone, shows that the dragon is at the point where it doesn't have to hide its claws."

According to Triplett, "China could launch a devastating computer-run sabotage operation by attacking U.S. oil refineries, many of which are grouped closely together in areas of Texas, New Jersey and California."

"A [Chinese] computer attacker could penetrate the electronic 'gate' that controls refinery operations and cause fires or toxic chemical spills . . . "

During cyberterror's glory years, a revolving cast of bad actors -- bands of criminals, programmers or nation-states -- would go in and out of fashion as designated theoretical adversary. In addition to the evergreen miscellaneous collections of arch-hackers, the French, Russians, Indian offshore programmers, occasionally North Korea, and once or twice, even Saddam Hussein were favored. But China was always the most popular.

Also from 1999, Congressman Curt Weldon, on National Public Radio's "All Things Considered:"

"[Curt] Weldon says a successful hacker could disrupt civilian life, striking hospitals or train systems," said the NPR interviewer.

WELDON: "It's not a matter of if America has an electronic Pearl Harbor, but when."

1999 again, in Reuters:

"Hacker Threatens To Leave Country In The Dark" was the headline of an un-bylined story issued by the news agency on Sept. 29.

"A computer hacker has threatened to break into the computers of Belgian electricity generator Electrabel Wednesday afternoon and halt the power supply to the entire country," proclaimed the news service in 500-word squib.

``Tomorrow I will leave Belgium without power, and that is not so difficult,'' an anonymous hacker crowed to a Belgian newspaper.

``Wednesday I will get into Electrabel's computers between 1:30 and 3:30 in the afternoon and shut down all the electricity.''

The Belgian electric company, Electrabel, "said it was taking the threat seriously but felt that the hacker had little chance of succeeding."

``There is very little chance that Belgium could be without power,'' said a corporate spokersperson.

No Belgian blackout was subsequently reported.

But the great grand-dad of "electronic Pearl Harbor" and cyberterror, although there are indications he later tried to renege on the title, was Richard Clarke.

Prior to 9/11, few Americans knew who Richard Clarke was but observers of the cyberterror meme knew him very well. He owned the entire property -- lock, stock and barrel, taking it off the much less well-known John Hamre, an assistant secretary of defense during the Clinton administration.

And Clarke's best proclamations, echoed down through the years, were published in Signal, the magazine of the Armed Forces Communications and Electronics Association.

In its August '99 issue, Clarke said there was "a very real possibility of an electronic Pearl Harbor."

"Without computer-controlled networks, there is no water coming out of your tap; there is no electricity lighting your room; there is no food being transported to your grocery store; there is no money coming out of your bank; there is no 911 system responding to emergencies; and there is no Army, Navy and Air Force defending the country . . . All of these functions, and many more, now can only happen if networks are secure and functional.

"A systematic [attack] could come from a terrorist group, a criminal cartel or a foreign nation . . . and we do know of foreign nations that are interested in our information infrastructure and are developing offensive capabilities that would allow them to take down sectors of our information infrastructure . . . "

Signal went on to describe a national disaster caused by cyberterrorists, embellished by Clarke.

"One possible scenario would feature a demand leveled by a foreign government or terrorist group," wrote the magazine. "When the U.S. government refuses to comply, this adversary demonstrates its capabilities by reducing a region of the United States to chaos. 'I think the capability to do that probably exists in the hands of several nations,' Clarke stated. 'I think it could exist in the near future in the hands of criminal and terrorist organizations.'"

"Envision all of these things happening simultaneously -electricity going out in several major cities; telephones failing in some regions; 911 service being down in several metropolitan areas. If all of that were to happen simultaneously, it could create a great deal of disruption, hurt the economy . . . "

Suellentrop writes in his essay that he was invited to take part in a computerized wargame in which cyberterrorists attack a town in New England. It was pimped, or I should say -- designed, by Dartmouth's Institute for Security Technology Studies.

Now, with a name like that, you might think it's an academic operation which broadly addresses national security problems and technology.

But if you go out to its website, it's just like the dreary old Nineties collections of faculty members and miscellaneous experts, virtually anyone will do, as long as they are ready to keep working the cyberterror angle with courses, lectures and monographs that drill into your head the menace of it. Sullentrop, not knowing much about the subject, was actually a very good person to invite for the simulation, easily bowled over by the theatre of it.

In the Nineties, you could read the proclamations of cyberterror experts almost daily in the US newsmedia. After 9/11, their presence dwindled rapidly until virtually no one in the mainstream pays attention to them anymore. The mandarins of cyberterror were definitely of a time. In other words, now these guys need all the publicity they can get.

With nothing new here, it would be expected that any simulation by such an institute would be one designed to show its participants how deadly cyberterror is, with no wiggle-room allowed.

But what Chris Suellentrop doesn't seem to realize, at least he gives no inkling in his writing, is that all such simulations, when run for journalists or officials, are rigged so the participants can't win.

Instead he suddenly gets religion and sees the light.

"The game couldn't end soon enough," Suellentrop writes. "I don't think we won."

" . . . But in eight hours, I went from smarty-pants to scaredy-cat. Computers don't kill people; people with computers kill people.

Well Chris, such simulations at a Dartmouth institute are simply role-playing games, and if you take part in one, your job is that of the patsy, one of the designated players allowed to go "Oh my!" as the simulation's orchestrated world comes crashing down around you. You're not exactly in a position to ask whether or not you've been party to pre-arranged or scripted crap.

DD won't go into it, but it hasn't seen one yet where the object wasn't simply to create an escalating disaster that flummoxed players, no matter what they did. They never take into account the natural resilience and expertise which may exist within the citizenry or even simple things like Murphy's Law. The terrorists always have perfect execution. Entropy always works for them.

By the standards of old-timey electronic Pearl Harbor/cyberterror scenarios, Suellentrop's simulation was unimaginative. Hackers mess with the 9/11 system. It's the first thing everyone thinks of and goes back to the Nineties' most notorious fed cyberterror simulation, Eligible Reciever.

Cyberterrorists then deface a government web page! Wow! No one thinks to say to the refs, "So what, who's waiting with bated breath to read it?" Or, "If a tree falls in cyberspace and no one is around to hear it, does it make a sound?"

Electronic highway signs are made to display a message that indicates a bioterror attack is underway. By experience, no such highway signs exist in Pasadena. Some can be found on the multiple highways surrounding southern California, but I'm far from sure such a message would have much impact on the tremendous volume of motorists rushing by.

More buttons were pushed and a hospital was worked over. Always, people die.

"I'm talking about people shutting down a city's electricity . . . shutting down 911 systems, shutting down telephone networks and transportation systems," said Richard Clarke to the New York Times in 1999. "You black out a city, people die. Black out lots of cities, lots of people die."


Read the adventures of the smarty-pants -- at the famous tech comic book, WIRED.

And indeed Wired News did cover the cyberterror beat. Noah Schactman of Defensetech sends over a 2002 story entitled Terrorists on the Net? Who Cares?

An excerpt:
"The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously," said Jim Lewis, a 16-year veteran of the State and Commerce Departments. He compiled the analysis for the Center for Strategic and International Studies.

"Nations are more robust than the early analysts of cyberterrorism and cyberwarfare give them credit for," Lewis wrote in the report. "Infrastructure systems (are) more flexible and responsive in restoring service than the early analysts realized, in part because they have to deal with failure on a routine basis."

A recent Congressional Research Service report also dealt with cyberterror in a foolish manner. Distributed by Steven Aftergood's Secrecy Project at the Federation of American Scientists here -- the CRS does not desire its analyses to be "public" for nonsensical reasons -- DD hopes to get to it soon.


Anonymous Anonymous said...

Thanks for your rational thought on this. I've been in the computer security industry for many years and I have yet to see a computer cause anyone to experience the emotion of terror.

7:42 AM  
Anonymous Anonymous said...

"I have yet to see a computer cause anyone to experience the emotion of terror."

You obviously haven't experienced the "terra" that comes from watching your latest version of your PhD thesis disappear into a series of corrupted files and gibberish!

8:26 PM  

Post a Comment

<< Home