03.22.12
The Bogometer is blinking red … reset it, please
History means a lot on the cybersecurity/cyberwar beat. Particularly not knowing it.
If you’re reporter on the cyber-disaster line you probably don’t remember what went on five years ago. And, under no circumstances, do you recall or even care what transpired before that. Short attention/retention is your thing. To be otherwise threatens the job security, making it harder to work.
So most have no idea how truly deadening and repetitive is the messaging on the subject.
Names change a little. But the claims are always the same. The sky is about to fall.
Lots of reasons for it in the US psyche. Almost too many to write about thoroughly in even a year’s worth of blog posts.
Today, among others having to do with being self-serving, there’s the national trait, or character flaw, of a kind of bragging grandiloquent importance coupled with the bright seam of American paranoia toward the outside world.
And it’s all hung on the hooks of bad days from national history.
Add a strong dose of the American belief that sometimes bullshit magically transforms into not-bullshit if a few people with well-known names in Congress say it. (This being part of abuse of argument from authority and the American techno-shaman reliance upon truth being a matter of majorities quoted in the press, mentioned a few hours earlier.)
Lawmakers and administration officials have warned of potentially catastrophic consequences if Congress doesn’t pass cybersecurity legislation this year, but some observers question whether the rhetoric is overblown.
“Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another,” Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. “Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.”
At the hearing, committee Chairman Joe Lieberman (I-Conn.) said he feels like it’s Sept. 10 2001, on the eve of a devastating terrorist attack.
“The system is blinking red – again. Yet, we are failing to connect the dots – again,” Lieberman said.
Senior administration officials, including Homeland Security Secretary Janet Napolitano and FBI Director Robert Mueller, performed a classified demonstration of how the government would respond to a cyber attack on the New York City electrical grid in front of dozens of senators earlier this month.
“The simulation was realistic and illustrated just how dangerous inaction on cybersecurity legislation can be,??? Rockefeller said. “If we don’t take these steps now, we’ll be back at this again at some point in the future, only it won’t be an exercise.???
The hearing and demonstration were part of a push for Congress to pass the Cybersecurity Act, a bill authored by Sens. Lieberman and Susan Collins (R-Maine) that would give the Homeland Security Department the authority to require that critical private computer systems meet certain security standards.
From the Pittsburgh Post-Gazette, on September 9, 2003:
Cybersecurity expert warns of post-9/11 vulnerability
Almost two years after the devastating attacks of 9/11, former Bush White House adviser Richard Clarke sounded the alarm in Pittsburgh about a cyberattack that could be just as damaging to the national psyche, arguing that the federal government remains “slow” and “very 20th century” in its preparation for computer-based terrorist threats.
Clarke, in an interview yesterday on Carnegie Mellon University’s campus, singled out the U.S. Department of Homeland Security, led by former Pennsylvania Gov. Tom Ridge, for being sluggish in making cyberspace a true national security priority. The department, Clarke noted, has yet to appoint a director and several key managers to its National Cyber Security Division — a group asked to implement a protection plan Clarke developed before leaving the Bush administration in February.
The problem, Clarke said, is that Homeland Security leaders still “think of risks to our society in terms of things that explode and incidents that have body bags. In the 21st century, as the power blackout of Aug. 14th proved, a great deal of damage to our economy and disruption to our way of life can be done without anything exploding or anybody being killed.”
Clarke’s insistence that the country pay attention to cybersecurity has made him a polarizing figure in the computer industry and Washington D.C., where he has worked for the last four presidents and advised three of them on intelligence and national security matters.
He left the White House as Bush’s cybersecurity czar in February, to become a consultant. Known for his contempt of bureaucracy and his critique of pre-Sept. 11 intelligence failures, Clarke emerged after 9/11 as the digital Paul Revere, warning that the country’s electrical power, finance, telecommunications, transportation, water and especially the Internet are all vulnerable to cyberattack.
In making his case for shoring up the nation’s electronic infrastructure, Clarke is getting support from Pittsburgh and specifically, CMU. With Clarke’s assistance, CMU computer scientist Roy Maxion sent a letter last year to President Bush warning that “our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did” the 9/11 attacks.”
The letter, cosigned by Maxion’s CMU colleague John McHugh and more than 50 of the country’s top computer scientists, laid out a nightmarish scenario involving the sudden shutdown of electric power grids, telecommunications “trunks,” air traffic control systems and the crippling of e-commerce and credit card systems with the use of several hundred thousand stolen identities. “We would wonder how, as nation, we could have let this happen,” the letter said.
Maxion and his co-signers proposed a five-year cyberwarfare effort modeled on the World War II Manhattan Project, requiring an investment ranging from $500 million to $1 billion per year. “The clock is ticking,” the letter said.
Some critics maintain that Clarke and institutions such as CMU, which was awarded $35 million in federal funds last year to fight cyberterrorism, are hyping a threat that does not really exist — especially in the case of al-Qaida, the organization that carried out the attacks of 9/11.
Dorothy Denning, one of the country’s top cybersecurity experts and a professor at the U.S. Naval Post Graduate School in Monterey, Calif., said she did not sign her name to Maxion’s White House letter because “I had a certain amount of reservation about whether or not it needed to be bought to that level of attention.”
Denning has not “seen the kind of devastating attacks people are worried about,” and she hasn’t “seen terrorists actively pursing” the Internet as a weapon. Clarke, Denning added, is right to point out the “vulnerabilities in our infrastructure that could be exploited” by everyday hackers and admitted that “bad things could happen.” But “until those things do happen, no one knows what the cascading effect might be.”
Another skeptic, George Smith, is more harsh in his appraisal of Clarke’s admonitions.
“I can’t think of a single Clarke prediction or warning that was right or of any lasting value,” said Smith, senior fellow with Alexandria, Va.-based defense think tank GlobalSecurity.Org.
He added: “In 2003, it takes no great intellect to say the nation is in great danger from the electronic frontier. The fantastic claim always gets attention, diverts the mind from thornier but mundane problems … Far easier to say al-Qaida is looking to turn off the power. You don’t ever have to prove if there is even a small nugget of truth to it.”
Terrorists, Smith said, “are interested in creating bloodshed and terror. The Internet doesn’t rise to this level of impact in a way that a truck bomb does.”
Referring to the e-mail virus that has been plaguing computer systems of late, Smith argued that “you can get three or four hundred copies of SoBig in your e-mail box a day — a thousand, two thousand — and it just has no physical impact no terror juice to it.”
But Clarke, who was in Pittsburgh yesterday to speak at a computer intrusion detection conference, said he has been in this position before, warning of national security threats that some would not take seriously. Clarke, a counterterrorism coordinator under President Clinton, was among those who worried about Osama Bin Laden’s capabilities before the events of 9/11.
“An awful lot of people, unfortunately, don’t believe (a cyberattack) will happen,” he said. “And as with terrorism itself, we learned from 9/11 that you can yell and yell and yell and imagine something happening and say it is going to happen, as I did with regard to al-Qaida, and no one believes you enough to act until it happens.”
As for al-Qaida, Clarke claims that some of its followers have master’s degrees in computer science, and that “there is lots of evidence that al-Qaida has downloaded sophisticated hacking tools because we have seized their computers and know what’s on them. So, I do think there is grounds for concern.”
But focusing on al-Qaida is missing the point, he said. “I don’t think it is terribly important who the enemy is. It doesn’t matter. What you need to worry about is the vulnerabilities.”
There are some encouraging signs that the country may be safer from cyberattacks than it was before 9/11, according to Clarke.
There is anecdotal evidence, he said, that the companies that control much of the country’s electric power generators, telecommunications lines, rail terminals and shipping containers are taking the voluntary security steps asked of them in Bush’s National Plan for Protecting Cyberspace, developed by Clarke and released earlier this year.
Bush’s plan relies on U.S. business, rather than the federal government, to shore up the nation’s computer security infrastructure. Clarke, in fact, came to Pittsburgh twice last October to drum up support for the plan, making the point that for U.S. businesses the increased costs of preparing for an attack do not have to drain a company’s productivity.
Some critics, responding to requests from the Bush administration that U.S. firms make themselves more secure, argued that companies have little incentive to pay for such measures in a slow economy.
Others said the plan itself lacked federal firepower.
“If (Clarke) had made it to correspond with the urgency of his warnings, it would have been a strong strategy with teeth in it, capable of compelling the private sector to improve security practices in many different ways,” said Smith, the senior fellow with think tank GlobalSecurity.Org. “However, when unfurled, it had no power. It might as well have not been written.”
But Clarke maintained yesterday, in an interview, that U.S. companies and the federal government are spending more money on cybersecurity and that the viruses that plagued computers this summer are forcing CEOs to pay more attention to the problem. Clarke, during his speech yesterday at CMU, even expressed confidence that this issue is making its way into pop culture, citing the recent movies “Terminator 3” and “Matrix Reloaded.”
In the latter, Keanu Reeves’ character Neo takes a tour of Zion, the last human city to survive outside the computer-generated Matrix, and is told that Zion’s citizens do not think about the machines that power the city until the machines stop working.
Paraphrasing Neo, Clarke said, “People need machines. But, machines need people, too.”
“[James A. Lewis of the Center for Strategic and International Studies] said the memory of Sept. 11 looms large for many of the lawmakers pushing cybersecurity legislation,” reads The Hill piece from March 17.
From the point of view of judgment by reputation, you would take whatever Joe Lieberman says and, for safety’s sake, put it in the trash.
The Pittsburgh newspaper piece was extracted from the archive of the old Crypt Newsletter website at NIU.