Thursday, November 12, 2009


The Cult of Cyberattack made a big appearance on Sunday night. Credit 60 Minutes, the show devoting its opening segment to the standard style of be-very-afraid-whoopie-cushion news on gathering black menace.

Although it was delivered as something new and serious, DD will quote from a past post -- one from two years ago here to begin the putting of it in perspective:

Many years ago 'electronic Pearl Harbor' news stories were commonplace. They were always the same. A variety of mountebanks encompassing computer security software and hardware vendors, government officials and think-tanks 'experts' would be lined up to contribute to a mythology that alleged United States was about to be struck down by cyber-attack. Reporters would go into action as stenographers.

Such a cyberwar would deprive us of everything. Lights! Food distribution! Oil refineries would blow up! It would be worse than an earthquake!

For 60 Minutes, the script was changed very little.

It is not only the lights that get turned off, but also now the banks -- Wall Street.

"Admiral [Mike McConnell], the former director of national intelligence [under the Bush administration], worries about the integrity of America’s money supply," reported 60 Minutes.

Here's the excerpt:
"I know that people in the audience watching this are going to say, 'Could somebody steal money out of my bank account or could somebody attack a bank that would wipe out my life savings?'" host Steve Kroft asked.

"And the answer is yes, that's possible, but that is not the major problem. The more insidious issue is, what happens when the attacker is not attempting to steal money, but to destroy the process that accounts for money? That's the real issue we have to worry about," McConnell said.

"It's all record keeping. It's accountability of the wealth and the movement of that money through the system that had to be reconciled at the speed of light. So if you impact or contaminate the data or destroy the data where you couldn't have reconciliation, you could have cascading impact in the banking system," he added.

Asked to describe the consequences, McConnell said, "If everybody goes down to take the money out, it's not there. So that's the issue. Since banking is based on confidence, what happens when you destroy confidence?"

Yes, what happens when you destroy confidence in banks?

Every American knows what happens. The US government bails out Wall Street with taxpayer money as the world economy is made a shambles. One year later, unemployment is surging for average Americans, although the bankers who caused the mess have again enjoyed huge bonuses.

This has, in effect, created two worlds. The one most live in like readers of this column. And the world of banks, where the outlook is swimming.

This is not what McConnell had in mind at 60 Minutes. However, it does also illustrate the split between the world where cyberwar crazies dwell and our own.

In the former, McConnell perhaps has no real idea how average Americans live. He left that long ago.

Now McConnell is a Senior Vice President for Booz Allen Hamilton, leading the company's "national security business unit" where, presumably, it is his job to facilitate and obtain contracts for the offering strategic advice and services on how to defend the banks from the cyberattacks he says could be coming. And the mischief that has tanked the economy is not brewing at home, it's everywhere else.

What could be better than to have a VP on 60 Minutes telling everyone about the lurking menace of cyberattack, being able to feature that on your homepage right next to your links for cybersecurity job staffing for positions like "Defense Intelligence Critical Infrastructure and Homeland Defense Analyst" or "Iranian Cyber All-Source Analyst"? In case that country is planning to cyberattack us.

"Booz Allen Hamilton, a leading consulting firm, helps government clients solve their toughest problems with services in strategy, operations ..." reads the website.

One sees the work afoot here. It could not be more obvious. One has the right to make a good living and there is no better place to present a sales pitch refined into a story of national menace then at 60 Minutes.

For 60 Minutes, blowing up an oil refinery, which was first circulated in the late Nineties (see here) as what something China was preparing to do to the US, was rolled out, too.

"In one test, [experts] simulated how they could have destroyed an oil refinery by sending out code that caused a crucial component to overheat," reported the news show on Sunday.

"The first thing you would do is turn it to manual controls so that your automatic controls aren't protecting you," John Mulder explained. He was apparently working on a computer model at one of the national labs.

"Asked what the main target would be, Mulder said: "The heating element and the re-circulator pump. If we could malfunction both of those we could cause an explosion.'"

The other two regular features present in almost all cyberattack stories over the past fifteen years are the "turn off the lights" horror story and the "stealing US military intelligence" scandal.

President Barack Obama employed the turn out the lights myth -- and I'll explain why I call it a myth in a sec -- in his nationally aired speech on cybersecurity earlier this year.

"[Cyberattacks] have plunged entire cities into darkness," said the president back in May.

And in his administration's review of cybersecurity, the claim was attributed to what was essentially a SANS Institute vendor-furnished press release, delivered at a security conference, a statement which claimed the CIA had confirmed to the vendor, Alan Paller, that this was so.

Specifically, the dissection of it was ably handled at vmyths here.


Who did it? Paller doesn't know.
When did they do it? Paller doesn't know.
Where did it occur? Paller doesn't know.
Why did they do it? Paller doesn't know.
How widespread was the blackout? Paller doesn't know.
Did the extortion scheme succeed? Paller doesn't know.
Whose power grid Internet connection did they exploit? Paller doesn't know.
How many victims perished in the attack? Paller doesn't know.
What did it cost to clean up after the attack? Paller doesn't know.

That was in 2008.

And the people writing the Obama administration's review of cybersecurity thought it such a good story, they included it. And a citation: One which indicated a press release.

So what do you do if you are part of the Cult of Cyberattack in late 2009 and enough doubt has been tossed on the lights-out claim to make it look like you're delivering spoiled goods?

You turn up the volume, without actually providing substantial proof for an extraordinary claim.

"President Obama didn't say which country had been plunged into darkness, but a half a dozen sources in the military, intelligence, and private security communities have told us the president was referring to Brazil," reported 60 Minutes.

"Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007 ... It is not clear who did it or what the motive was."

It is another instance of an argument from anonymous authority -- "prominent intelligence sources" -- delivered through another prominent venue, 60 Minutes, unquestioningly. One which made no effort to provide substantial proof of an extravagant and astonishing claim.

And that's what myths are often made from. Something that sounds good, something which sounds superficially substantive, passed around by others passed off as authority figures. And everyone knows such things never happen, or become the driver of policy and action, in the United States.

In any case, it is just as easy to make the argument that a few 'prominent intelligence sources' and 'experts' in the 'private security community' had heard the same Brazil blackout rumour back in 2008. Which was most assuredly so, because it made a few news sources and was also widely criticized.

Then they began gossiping about it with even more colleagues. Because people love to spread good stories, particularly when such stories serve their world view.

As for the 'stealing US military intelligence' scandal, 60 Minutes reported:
"In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor," [Jim Lewis of CSIS] said. "Some unknown foreign power, and honestly, we don't know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information ... The Library of Congress, which has millions of volumes, is about 12 terabytes. So, we probably lost the equivalent of a Library of Congress worth of government information in 2007 ..."

The official "electronic Pearl Harbor" archive, which collects government expert and official claims in the news from 1993 to 2000 is here.

In the late Nineties, the stolen information scandal was called Moonlight Maze, and DD excerpts from old writing on it:

Moonlight Maze was an operation in which "vast amounts of technical defense research were illegally downloaded and transferred to Russia."

And those materials were? No one could say.

The London Sunday Times wrote the most influential story on Moonlight Maze in mid-1999, one that served as an inspiration for all subsequent pieces in the US newsmedia.

In Moonlight Maze, secret documents had been stolen but the US military could not determine what was in them or which ones, precisely, had been stolen. Whatever the amount, it was a lot.

Further, this information -- claimed the Times -- had been revealed at a private computer security conference by an employee of the Space and Naval Warfare Systems Command (SPAWAR).

The Times article speculated that either Russia or China could be behind the "cyberwar" that only the Pentagon could see because: ". . . Russia's relations with America have reached their lowest ebb since the cold war because of NATO's intervention in Yugoslavia. Relations with China have also suffered. An offensive in cyberspace may be their one way of retaliating without getting into a shooting war."

The London paper also speculated that Russian organized crime might be behind Moonlight Maze, and that: "China, Libya and Iraq are developing information warfare capabilities and, according to one White House official, 'we see well-funded terrorist groups that also have such capabilities'."

The London Sunday Times piece set a hallmark by which subsequent stories in the US media on Moonlight Maze could be judged:

That is, Moonlight Maze stories were recognizable by their almost complete reliance upon gossip and speculation; their complete lack of definition in the who, what and where categories; and a stupefying preponderance of anonymous sources from the Pentagon, intelligence agencies, and/or the private computer security industry speculating or expostulating for journalists.

Throughout the latter part of the summer of 1999, reporters from the mainstream media contacted me about Moonlight Maze. The story had taken on a life of its own even though there was a complete lack of substantive evidence to go on. It was clear that Moonlight Maze was going to enjoy a second lifetime in the news and, indeed, a media cascade resulted in the second week of October of that year, mostly built upon a wave of copycat reporting and inconclusive statements about the affair made in a Congressional hearing that week.

All of the reporters who contacted DD for comment had one thing in common.

They were all working from the same script. In addition to being inspired by the London Sunday Times piece, they all said or wrote that one "anonymous" source in "the Pentagon" was telling them that "Russian hackers" working off of the "Russian Academy of Sciences'" Internet domain were "involved."

"The computer assaults have given fresh impetus to measures ordered by [President] Clinton more than a year ago to protect the country's electronic infrastructure. Alerted to the threat of Moonlight Maze, the president has called for an extra $600 [million] to help fund a variety of initiatives, including [boosted investment in the National Infrastructure Protection Center]," reported the London Times in 1999.

The original collection on Moonlight Maze from the old Crypt Newsletter website is here.

And that has been the pattern and strategy used by the Cult of Cyberattack: Push stories into the mainstream media for the boosting of investment in the firms which dispense advice and services on combating the threat. Indeed, cyberattack stories can be motivated by as little as a desire to get one's name in the news for the establishment of a reputation. It is an easy way to get one's ticket punched. And since government experts and officials often have an eye toward taking a rewarding place in the world of private sector security, these are also a means of signaling that one is a good fellow for the profession and ready to work for the right team.

Indeed, if your job depends on there being a very serious, pressing and imminent cyberattack menace, then you are one of the least likely to be delivering critical thinking on the subject. In fact, just the opposite, because the business depends upon the growth of the threat of cyberattack, or just great belief in its growth, not a cold business neutral appraisal of the true extent of it.

In fact, in writing an article on digital Pearl Harbor in 1994, DD pointed out the same, that one of the leading 'experts' predicting it was delivering these prognostications from a big defense contractor in the business of providing services to ward it off. And in a subsequent letter to the magazine in which the piece was published, an Assistant Sec'y of Defense who was also a lead proselytizer for the imminence of cyberattack in the Clinton administration objected very strongly to that.

However, it was a legitimate criticism then. And it's even more legit now.

These have always been fairly transparent and self-serving ploys. But they are of little interest to the US public in 2009. Beaten down by the shriveled economy and unemployment, there's no clamor -- no populist outcry -- for increased cyberdefense and attack spending.

There is no obvious pressing demand for it, period, other than from the security vendors and those who lease their analytic, cybersecurity and cyberwar IT workers to the Department of Defense and intelligence agencies.

By the same token, while the Cult of Cyberattack lobby is not nearly as powerful as, say, the health insurance lobby, it also comes in for much less scrutiny.

"Congress has noticed, allocating $17 billion for a top secret national cyber security initiative ..." noted 60 Minutes.

And a chunk is going to implement the Cult of Cyberattack's offensive arm by the hiring of more people to explore and develop ways of propagating badness on the Internet. As if there is not enough of that already.

Since there is no oversight of this activity obvious from the outside, many armed with common sense might be inclined to say: "Whoah, pardner. We've had enough."

However, it's unlikely this is how things will go down. Because, as in everything else, the tendency is to give in to the national urge toward inappropriate bragging, congratulating oneself about how mighty you are at cyberattack, as in all things. And that has already apparently gone to some heads. The US is in the top tier of cyberwarfighting, claimed someone allegedly important and wise for 60 Minutes.

The 60 Minutes thing.


In a bit longer form at SITREP. Page down to the tail if you're curious about the additions.

Readers may have noticed, if watching the Rachel Maddow show, that RM briefly roped in 60 Minutes, cyberattack and the recent Brazil blackouts earlier in the week. It was hard to discern the point of it although there seemed to be an insinuation that if we don't protect infrastructure, look what will happen.

The more obvious conclusion to be drawn, one that's taken from the perspective of knowing the history of the use and abuse of the cyberattack and blackout story, is that NOW whenever a major blackout occurs in the civilized world ... instead of thinking about the usual reasons for it from the physical world, there will always be someone yelling, even hoping, for cyberattack. And that blackouts will, even if there is strong evidence to the contrary, infrequently but lastingly be blamed on cyberwar. Such is the nature of the human mind, its relationship with paranoia and the enthusiasm for belief in strange things, even when they may not be true.

Particularly if the analysis of a more dull reason for outage is slow in coming.

After all, only the US could coin the insane famous aphorism:

Absence of proof is not proof of absence.

Another potential, also anchored in human frailty and coupled with the expansion in employment of people and secret agencies to "do" US cyberwar, is what I might call "the poor man's Bruce Ivins" syndrome.

There's always been plenty of "they're not listening to me, my worth and genius have been unappreciated, so I'll show them all by screwing someone/anyone over" in this country. It's a strong motivator for the mentally ill as well as those self-inclined to erratic and impulsive behavior.

The last Die Hard movie was floated entirely on this premise.

So I leave it to readers to figure out what a 'poor man's Bruce Ivins" might mean.


Post a Comment

<< Home