Tuesday, January 19, 2010


When looking over the last twelve months of news on cybersecurity and cyberwar, one always reliable feature stands out: Its narrow selection of sources and the supply of quote by a small number of 'names' and business interests.

In a nation as large and complicated as the United States, where there are literally hundreds of computer security businesses and operations and even more colleges and universities, many of which have eminently qualified scholars on the subject of the networked world, the mainstream media consistantly relies on only about a half dozen real people -- or business interests -- to tell the story.

If China is attacking in cyberspace, a subject covered in print many times a week, only a few regularly appear to explain what's going on. If cyberwar is about to break out, the same small number can be counted on to see through the fog which blinds everyone else.

And if your primary defense-related business model is counting on furnishing cybersecurity contractors to all branches of the US government, one fans stories that electronic Pearl Harbor is stalking the nation and makes up a non-profit group to hide behind while distributing a report that says there is a dire shortage of computer security geeks.

Looking into daily newspaper databases over the last twelve months, DD blog has compiled the short list of statistics on the matter.

The King of Cyberattack Quote

The undisputed ruler, the head passer-on of all wisdoms, is Alan Paller of the Sans Institute, a business that sells training and seminars on computer security.

In the last six months, Paller returns 34 in major news stories on the subject. The number jumps to 84 when extended through the last twelve months.

Paller is the go-to purveyor of quote on Chinese cyberattacks, of hackers compromising everything, of cyber-looting everywhere, of the electrical grid going down, on the need for more computer security training courses and of getting a press release in as a footnote in the Obama administration's Cyberspace Policy Review.

Here is the unscientific master list, with Paller at the top:

1. Alan Paller, SANS -- 84
2. McAfee -- 80
3. James Lewis, CSIS -- 47
4. Booz Allen Hamilton -- 38
5. Symantec -- 31
6. Mike McConnell, BA -- 25
7. Paul Kurtz, Good Harbor -- 11
8. Richard Clarke, Good Harbor 4

'Control values':

1. Gene Spafford, Purdue 25
2. Marcus Ranum 0

In terms of security vendor businesses, the list condenses to a small number of players moving the cyberwar/cybersecurity debate in 2009: SANS, McAfee, and Booz Allen Hamilton, the latter which jumps to number three on the list with 63 hits in major stories if you add McConnell's total.

In the case of Mike McConnell's list of citations, one remarkable feature is that not a single reporter writing these things identified him as the chief salesman of Booz Allen's cybersecurity business operation. It's a computer security business which rides on stories about looming cyberwar and the national shortage of computer security workers, to be trained on the taxpayer dime and then poached so that they can be leased to the government by Booz Allen and its competitors.

All this, even though the big aimed-at-the-US-government consulting and contracting business gleefully flogs McConnell and whatever he's saying or doing on its homepage daily.

The list narrows further when one notices that Good Harbor, Richard Clarke's cyberattack consulting business, furnished a report on cyberwar for McAfee, one which generated a number of press hits for the latter.

You'd never know Booz Allen's head cybersecurity salesman is Mike McConnell if you read US news on cyberattacks and the threat to the national infrastructure, only that he is a very wise person who was director of national intelligence for two years during the GWB administration.

Two reasons for citation cluster and narrow sourcing are procedure and sloth.

In the fast-moving news cycle, it is the standard way of most US news organizations to read whatever their competition has published and blindly duplicate it. It is the method of journalism on the subject and it is also very lazy. There can be no argument on this state of affairs. Any simple review of newspaper stories shows it to be true. The mind-numbing repetition and use of only a few sources in a country of over 300 million, one which purports to be the repository of all know-how in the world, is stunning.

And it has had a detrimental effect on the formation of policy in this country during the last decade.

Over at least the last ten years, perhaps as far back as fifteen -- or whenever DD first started seriously reading US government-generated analyses and papers on the subject -- they have been peppered with citations either taken directly from the US newsmedia or press releases from corporate security vendors.

For an example of this at the highest level, one needs merely consult the Obama adminstration's Cyberspace Policy Review final here.

In it a person reads of how cyberwar has caused blackouts in an undisclosed country.

Its attribution? A press release/newsletter from SANS, the business for which Alan Paller, the cybersecurity king of quote, speaks.

"Delegates at [a vendor conference] shared information on how attackers are eluding current defenses and on promising practices for mitigating the most critical vulnerabilities," reads the SANS press release linked to from the Whitehouse policy document. "They also shared a jointly developed 'SCADA and Control Systems Survival Kit.' Next week an electronic version of the Survival Kit will be available (free) to all SANS alumni."

The damage done by having a press, or way of doing business, which only relies upon a small number of sources, usually those served by the story being told, is now obvious to most people.

Even if there is a glaring truth to the narrative being peddled, that computer security is in a very fragile state and it deserves national attention, it is distorted and made self-serving by the specific business interests and vision of those writing the press releases. It is flabbergasting and more than a bit annoying when one finds some rationalization for doing things in a policy document from the White House pointing to the thin tissue of a computer security vendor press release/sales sheet.

Is there really one person who knows exactly what the Chinese are doing to attack America in cyberspace all the time? If you read the US newsmedia and take it very seriously, you'd think so.

If you read the US newsmedia, China spying on every bit of American cyberspace is a terrible thing. It is reported from a distinctly odd framework in which the US government's spying on the rest of the world and its own people is ignored.

Do Chinese computers and networks ever get attacked?

Does the US government or American computer security businesses ever hire hackers to be part of growing cyberwar/cyberdefense operations?

If you read US news, you know nothing of the former and only some about the latter.

When we hire hackers, it's OK, good for business and the security of the country. When they do the same, it's a reason to yell: "The Chinese are attacking!" (Then lobby for more good business.)

A note about 'control values:' DD blog chose one very noted computer security expert from the academy -- you could choose another -- not seen attached to corporate national computer security business incubation.

However, in the interest of full enlightenment this bit comes from the Journal and Courier of Lafayette, Indiana, on December 9 of last:

The Northrop Grumman Cybersecurity Research Consortium will involve Purdue's Center for Education and Research in Information Assurance and Security and two other universities.

The announcement was made Tuesday at the National Press Club in Washington, D.C.

"We've been resource constrained. We have tremendous students. We have wonderful ideas, but there is not much funding in the area," said Gene Spafford, the Purdue center's executive director. "What funding has been available for the past few years has been to respond to immediate problems that have occurred."

A motivating factor in starting the consortium was to address some of the issues in President Barack Obama's report last May on cybersecurity threats and the need to be in front of issues before they become emergencies.


A selection of citation from the king of cybersecurity quote:

Alan Paller, director of research at the SANS Institute, a Bethesda, Md., security firm, said Chinese hackers target Western companies with an approach dubbed "1,000 grains of sand," meaning they go after every piece of information in search of competitive intelligence. Most companies keep silent about the attacks, but they draw heavy scrutiny from law enforcement officials.

"The odds of the 25 biggest companies in California not being fully compromised by the Chinese is near zero," Paller said. "That is true of companies across the country."
-- Los Angeles Times, Jessica Guynn, January 15 in a story entitled: Chinese hacking risk seen as dire

Alan Paller, director of research at SANS Institute, a computer-security organization, said Monday that a major law firm in New York was hacked into in early 2008 in an attack that originated in China.

FBI officials did not immediately return messages for comment on the China connection.

The hackers going after law firms, said Paller, often target companies that are negotiating a major international deal anything from seeking a patent on a sensitive new technology to opening a plant in another country.
-- Associated Press, November 17 in: FBI says hackers targeting law firms, PR companies

Alan Paller, director of research for the SANS Institute, a computer security training company, said a massive talent search is needed to develop a cadre of 20,000 to 30,000 cybersecurity experts. He advocates organizing "cybercamps" at prestigious universities such as New York University's Polytechnic Institute in Brooklyn, expanding national competitions, offering scholarships for service or college courses on advanced information security, and marketing attractive internships and job offers. -- October 2, State Department Documents and Publications in a story entitled Seeking a New Generation of Cyberdefenders

Press release title: SANS Institute to Host Official (ISC)2® CSSLPCM CBK® Education Seminars at Upcoming Conferences;
Courses at SANS' London and Washington, D.C. Events to Address Building in Security Throughout Software Lifecycle
, September 24

The [vendor-generated] study found that organizations are patching client-side vulnerabilities three to five times slower than operating-system vulnerabilities, said Alan Paller, research director at SANS Institute, a security research and education organization that collaborated on the report with others.

For the first time, we know where the bad guys are attacking and, oh darn, those are not the areas we're protecting," Paller said.
-- San Francisco Chronicle, September 16, in Cybersecurity - or lack thereof - alarms experts

JEANNE MESERVE: Chinese cyber capabilities are sophisticated and though difficult to prove the government and its surrogates are believed to have infiltrated computers at most U.S. government agencies.

ALAN PALLER, SANS INSTITUTE: The sad joke in the Pentagon is if somebody can't find a document somebody else says, well, call the Chinese.

MESERVE: Computer experts say hackers may have left behind code that could be triggered to shut down or destroy critical infrastructure, even weapons systems. The Pentagon recently told Congress, "Of all the foreign intelligence organizations attempting to penetrate U.S. agencies Chinese are the most aggressive.
-- CNN, September 9, 2009

Alan Paller, director of research at SANS Institute, a computer-security training group, said that health data are a new target of organized-crime groups. Experts say a copy of a medical record can fetch money on the Internet black market. -- The Washington Post, July 30 in File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told

On March 12, 2007, the CEO of one of the nation's largest defense contractors learned of a call from the Office of the Secretary of Defense informing his firm that the FBI had evidence that his company had allowed another nation to steal details of some sensitive technology that DOD had contracted to develop. There was no getting the data back. In a meeting at the Pentagon the next week, the executive learned he was not alone. Around the table were other defense contractor executives who had suffered similar breaches. -- June 22, Alan Paller penned op-ed in Dr. Dobb's Report entitled How The U.S. Changed Its Security Game

A third computer specialist, Alan Paller, told the Senate Committee on Homeland Security and Governmental Affairs on April 29 that China's military in 2005 recruited Tan Dailin, a graduate student at Sichuan University, after he showed off his hacker skills at an annual contest.

Mr. Paller, a computer security specialist with the SANS Institute, said the Chinese military put the hacker through a 30-day, 16-hour-a-day workshop "where he learned to develop really high-end attacks and honed his skills."

A hacker team headed by Mr. Tan then won other computer warfare contests against Chinese military units in Chengdu, in Sichuan province.

Mr. Paller said that a short time later, Mr. Tan "set up a little company. No one's exactly sure where all the money came from, but it was in September 2005 when he won it. By December, he was found inside [Defense Department] computers, well inside DoD computers," Mr. Paller said.
-- The Washington Times, May 12 in China bolsters for 'cyber arms race' with U.S

Alan Paller, director of SANS Institute, a security training and information center that has worked closely with utilities operating Supervisory Control and Data Acquisition (SCADA) systems as well as government agencies, says the potential for a massive cyber-attack on the power grid is real.

Paller says some in the industry may be in denial about it, but "the Wall Street Journal article may be the first step in a 12-step program for utility executives."
-- April 9, Network World in How serious is threat to power grid? Depends who you ask.

The Booz Allen Hamilton model of cybersecurity business promotion

Selected quotes:

The Internet is the nation's "soft underbelly," says former national intelligence director Michael McConnell. The Greenville native and Furman graduate further warns that the Net has "introduced a level of vulnerability that is unprecedented." -- The Charleston Post and Courier, Nov. 2, in an opinion piece entitled Think before you click

TechAmerica holds a 2009 Vision Conference to "provide a ten-year outlook for U.S. defense spending, and forecast the next five years of federal civilian information technology spending," October 21-22.

AGENDA: Highlights :
-- 7:45 a.m.: Ann Gladys of CSC; and Phil Bond, president of TechAmerica, delivers welcome remarks
-- 8 a.m.: Vivek Kundra, federal chief information officer in the Office of Management and Budget, delivers keynote address
-- 9:30 a.m.: Madeleine Andre of IBM; and Steven Kramer of Booz Allen Hamilton, discuss the "IT Budget Forecast"
-- 10:15 a.m.: Joe Guirreri of KGS; Larry Reagan of Qbase; and Charmaine Edwards of Lockheed Martin, discuss "DHS (Homeland Security Department)"
-- 12:45 p.m.: Art Oberhofer of Verizon Business, participates in a track discussion on "Government Agencies: Transportation Department"
-- 2:30 p.m.: Mary Swann of Northrop Grumman, participates in a track discussion on "Federal Health: State Department"
-- Federal Information and News Dispatch, October 22

The internet, said former national intelligence director Michael McConnell, "is the soft underbelly" of the United States.

Speaking at a cybersecurity exhibit at the International Spy Museum in Washington, McConnell said the internet has "introduced a level of vulnerability that is unprecedented."

The Pentagon's computer systems are probed 360 million times a day, and one prominent power company has acknowledged that its networks see up to 70,000 scans a day, according to cybersecurity expert James Lewis.

For the most part, those probes of government and critical infrastructure networks are benign.

Many, said McConnell, are a nuisance and some are crimes. But the most dangerous are probes aimed at espionage or tampering with or destroying data.

The attackers could be terrorists aiming at the U.S. culture and economy, or nation-states looking to insert malicious computer codes into the electrical grid that could be activated weeks or years later.

"We are the fat kid in the race," said Lewis. "We are the biggest target, we have the most to steal, and everybody wants to get us."

And if, for example, the United States gets into a conflict with China over Taiwan, "expect the lights to go out," he said.
-- Associated Press, October 5, in a story entitled Computer experts agree: Cybersecurity begins at home

In the United States, the Washington-based, nonprofit Partnership for Public Service and private contractor Booz Allen Hamilton published a 2008 report called Cyber In-Security, which suggests that government and private-sector computer networks will be unable to fend off expected attacks by criminal groups, foreign nations, terrorists and individual hackers unless there is a huge increase in the number of federal cybersecurity experts. -- October 2, State Department Documents and Publications in a story entitled Seeking a New Generation of Cyberdefenders

So a recent report by the Partnership for Public Service, a group that promotes government service, and consultant Booz Allen Hamilton that the federal government is having trouble finding and attracting a talented cyber-security workforce is worrisome. Among other findings, the survey noted that only 40 percent of hiring managers were satisfied or very satisfied with the number of qualified applicants for information security positions and that 77 percent were dissatisfied with the time it took to hire someone. -- The Washington Post, August 2, in a story entitled Cyberhelp Wanted: The federal government lacks a sensible hiring process -- and enough good candidates -- to guard computer networks.

"You can't win the cyber war if you don't win the war for talent," said Max Stier, president of the Partnership for Public Service, a Washington-based advocacy group that works to improve government service. "If we don't have a federal work force capable of meeting the cyber challenge, all of the cyber czars and organizational efforts will be for naught."

The study was drafted by the partnership and Booz Allen Hamilton as the Obama administration struggles to put together a more cohesive strategy to protect U.S. government and civilian computer networks.
-- Associated Press, July 22, in a story entitled Report: Shortage of cyber experts may hinder govt

Cyberwar would not be as lethal as atomic war, of course, nor as visibly dramatic. But when Mike McConnell, the former director of national intelligence, briefed Mr. Bush on the threat in May 2007, he argued that if a single large American bank were successfully attacked ''it would have an order-of-magnitude greater impact on the global economy'' than the Sept. 11, 2001, attacks. Mr. McConnell, who left office three months ago, warned last year that ''the ability to threaten the U.S. money supply is the equivalent of today's nuclear weapon.''

The scenarios developed last year for the incoming president by Mr. McConnell and his coordinator for cybersecurity, Melissa Hathaway, went further. They described vulnerabilities including an attack on Wall Street and one intended to bring down the nation's electric power grid.
-- The New York Times, April 28, in a story entitled U.S. Plans Attack and Defense in Web Warfare

Northrop Grumman's teammates include JB Management, Alexandria, Va.; Quantum Research International Inc., Huntsville, Ala.; Lockheed Martin, Bethesda, Md.; SAIC, San Diego; and Booz Allen Hamilton and QinetiQ North America, both of McLean, Va.

Northrop Grumman is an industry leader in all aspects of computer network operations and cyber security. Northrop Grumman is offering customers innovative solutions to help secure the nation's cyber future.
-- Global Newswire press release, April 24, in a slug entitled Northrop Grumman's Cybersecurity Team Receives Army Information Operations Award Potentially Worth $430 Million

"In today's current state, there's a good chance that you've already been compromised," Timothy McKnight, vice president of a Northrop Grumman cybersecurity division, told the Los Angeles Times today.

"To bolster their staffs, military firms have been hiring former top government officials ... "

"The military industry, having already done extensive work protecting federal government computers, may be in a good position in the emerging market that could exceed $100 billion in revenue within the next decade ..."

The Cult of Cyberattack -- from the archives.

Electronic Pearl Harbor Games Until Nausea -- here.

The King of Quote, the alpha and omega, the yin and the yang -- even more.


Blogger amanfromMars said...


There aint no experts at Cyber Security, but some real SMART Virtual Operating Systems Crash Testing the Markets with Exploitations of Systemic Legacy Vulnerabilities in their Programs with PROMISed Software for Wealth, which have not been Provided with ITs Upgrades to Guarantee an Exclusive Continued Executive Retention of Leading Control of the Magical Powers in Global Wealth Invention and Distribution.

And that is a Catastrophic Oversight which can only be Plugged and Remedied with the Right Kind of Intelligence Supply ..... which would be the same sort of Intelligence which would know how to Crash the System Catastrophically with some Simply Shared Crack Code, for one cannot fix a CyberSpace Vulnerability without Knowing how the Attack can be Launched and Commanded to ExtraOrdinarily Render the Targeted Operating System/SCADA Systems, Irreparably Damaged and Demonstrably Obsolete and Unfit for Future Beta Virtual Purpose, for of course, CyberSpace is a Novel SurReal Space in which All Normal Rules of Engagement do not Necessarily Apply and Traditional Thoughts are Useless against the Viably Imaginative Irregular and Unconventional.

And as if that were not Bad Enough in itself, there is the Added Very Real Danger of Guided Mob Violence against Present Market Giant Heads during and after the Process of Collapse, with the Simply Shared Crack Code Running Wild across Webs and Networks InterNetworking readily Proving and Identifying the Present Exclusive Executives of Wealth Generation and Liquidity Distribution for the Global Establishment, and who will have been Rendered beyond any Shadow of Doubt as Crooked Scam Artists and Pathetic Ponzi Merchants, Living like Kings for Free and Enslaving all Others with their Controls on Printed Currency. And that would be certainly best avoided at whatever it takes cost, although whenever such can be avoided with currency distributed to the Right and Proper Intelligence Sources and Global Communications Head Quarters, is it an Astute SMARTer Investment in a Valuable Future Asset rather than Anything Else and Lesser.

You don't really want to be stepping into the CyberSpace Arena unless you are Really Sure that you are Definitely SMARTer Enabled and Fit for ITs Crazy Virtual Purposes, for IT does not Acccept or Tolerate Fools in its Work, Rest and Play Spaces ..... Live Operational Virtual Environments.

And more than a just a little Knowledge in Quantum Control Systems would Assist HyperRadioProActive IT [a QuITe Alien Discipline :-)]Admirably too, for CyberIntelAIgent Security Operations Centres Mentor and Monitor CyberSpace Stealthily with and for the Greater Mutual Benefit of Future Shared Elevated Experiences ...... with Escalating Elevated and Enabling Privileges in Operating Systems being very much a Lucrative Objective and Engaging Subject in Current Vogue for Pleasant Rogues and Private Pirates and Future Programmers, and a Lead Topic in Specialised AIdDiscussions today ...... http://amanfrommars.baywords.com/2010/01/20/100120/ .... with Tomorrow most probably already filled with Most Probably Already More.

7:44 AM  
Blogger Porchop said...

"Is there really one person who knows exactly what the Chinese are doing to attack America in cyberspace all the time?"

Answer: yes, at least 6 that I know of here in DC.

The whole point of espionage is to do things to your opponents without them knowing you are doing it.

8:14 AM  
Blogger George Smith said...

Six? Are you sure it's not 3 or 12 or thirty, or whoever's read the quote from the king in a newspaper or magazine?

Haven't been able to get around to compiling the similar amount from James Lewis yet.

8:19 AM  
Anonymous Anonymous said...

You are worried about China? You are just going through a Recession which was a cybertechnology coup d'etat against a democratic government by Wall Street. Goldman has a computer in the NYSE so it can front run incoming buy orders - likely the same software that was stolen. A Wall Street lawyer with a straight face stood in court and said it could do harm in the wrong hands. Like it was in the right hands when Wall Street had it? They brought you country to its knees and you sat and watched.

With all the jerk-off hackers in the US wasting everyone's time with Trojans and Viruses, why don't they make themselves useful and stick cybertechnology right up Wall Street's butt? Hack the banks and brokerages and global corporations who have your government hostage, you little twits. They took billions away from the middle class and transferred it to the top 10%. Get in and transfer it back or to the government or to the police. People with the right skill sets bitch and screw around instead of fighting their arch enemy from within - it isn't China - what is wrong with you young cybersmart Americans? It's time for a reverse coup, in case you haven't noticed. Once in, move money around - not to your accounts either - do the right thing. Street demos are suicidal, but if someone does do something, you're toast. Strut your stuff. Take back America. Re-instate the government you elected. Bust up the Fed - non-violently!

8:19 PM  

Post a Comment

<< Home