03.22.12
Posted in Culture of Lickspittle, Cyberterrorism at 3:47 pm by George Smith
History means a lot on the cybersecurity/cyberwar beat. Particularly not knowing it.
If you’re reporter on the cyber-disaster line you probably don’t remember what went on five years ago. And, under no circumstances, do you recall or even care what transpired before that. Short attention/retention is your thing. To be otherwise threatens the job security, making it harder to work.
So most have no idea how truly deadening and repetitive is the messaging on the subject.
Names change a little. But the claims are always the same. The sky is about to fall.
Lots of reasons for it in the US psyche. Almost too many to write about thoroughly in even a year’s worth of blog posts.
Today, among others having to do with being self-serving, there’s the national trait, or character flaw, of a kind of bragging grandiloquent importance coupled with the bright seam of American paranoia toward the outside world.
And it’s all hung on the hooks of bad days from national history.
Add a strong dose of the American belief that sometimes bullshit magically transforms into not-bullshit if a few people with well-known names in Congress say it. (This being part of abuse of argument from authority and the American techno-shaman reliance upon truth being a matter of majorities quoted in the press, mentioned a few hours earlier.)
From The Hill on March 17:
Lawmakers and administration officials have warned of potentially catastrophic consequences if Congress doesn’t pass cybersecurity legislation this year, but some observers question whether the rhetoric is overblown.
“Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another,” Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. “Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington.”
At the hearing, committee Chairman Joe Lieberman (I-Conn.) said he feels like it’s Sept. 10 2001, on the eve of a devastating terrorist attack.
“The system is blinking red – again. Yet, we are failing to connect the dots – again,” Lieberman said.
Senior administration officials, including Homeland Security Secretary Janet Napolitano and FBI Director Robert Mueller, performed a classified demonstration of how the government would respond to a cyber attack on the New York City electrical grid in front of dozens of senators earlier this month.
“The simulation was realistic and illustrated just how dangerous inaction on cybersecurity legislation can be,??? Rockefeller said. “If we don’t take these steps now, we’ll be back at this again at some point in the future, only it won’t be an exercise.???
The hearing and demonstration were part of a push for Congress to pass the Cybersecurity Act, a bill authored by Sens. Lieberman and Susan Collins (R-Maine) that would give the Homeland Security Department the authority to require that critical private computer systems meet certain security standards.
From the Pittsburgh Post-Gazette, on September 9, 2003:
Cybersecurity expert warns of post-9/11 vulnerability
Almost two years after the devastating attacks of 9/11, former Bush White House adviser Richard Clarke sounded the alarm in Pittsburgh about a cyberattack that could be just as damaging to the national psyche, arguing that the federal government remains “slow” and “very 20th century” in its preparation for computer-based terrorist threats.
Clarke, in an interview yesterday on Carnegie Mellon University’s campus, singled out the U.S. Department of Homeland Security, led by former Pennsylvania Gov. Tom Ridge, for being sluggish in making cyberspace a true national security priority. The department, Clarke noted, has yet to appoint a director and several key managers to its National Cyber Security Division — a group asked to implement a protection plan Clarke developed before leaving the Bush administration in February.
The problem, Clarke said, is that Homeland Security leaders still “think of risks to our society in terms of things that explode and incidents that have body bags. In the 21st century, as the power blackout of Aug. 14th proved, a great deal of damage to our economy and disruption to our way of life can be done without anything exploding or anybody being killed.”
Clarke’s insistence that the country pay attention to cybersecurity has made him a polarizing figure in the computer industry and Washington D.C., where he has worked for the last four presidents and advised three of them on intelligence and national security matters.
He left the White House as Bush’s cybersecurity czar in February, to become a consultant. Known for his contempt of bureaucracy and his critique of pre-Sept. 11 intelligence failures, Clarke emerged after 9/11 as the digital Paul Revere, warning that the country’s electrical power, finance, telecommunications, transportation, water and especially the Internet are all vulnerable to cyberattack.
In making his case for shoring up the nation’s electronic infrastructure, Clarke is getting support from Pittsburgh and specifically, CMU. With Clarke’s assistance, CMU computer scientist Roy Maxion sent a letter last year to President Bush warning that “our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did” the 9/11 attacks.”
The letter, cosigned by Maxion’s CMU colleague John McHugh and more than 50 of the country’s top computer scientists, laid out a nightmarish scenario involving the sudden shutdown of electric power grids, telecommunications “trunks,” air traffic control systems and the crippling of e-commerce and credit card systems with the use of several hundred thousand stolen identities. “We would wonder how, as nation, we could have let this happen,” the letter said.
Maxion and his co-signers proposed a five-year cyberwarfare effort modeled on the World War II Manhattan Project, requiring an investment ranging from $500 million to $1 billion per year. “The clock is ticking,” the letter said.
Some critics maintain that Clarke and institutions such as CMU, which was awarded $35 million in federal funds last year to fight cyberterrorism, are hyping a threat that does not really exist — especially in the case of al-Qaida, the organization that carried out the attacks of 9/11.
Dorothy Denning, one of the country’s top cybersecurity experts and a professor at the U.S. Naval Post Graduate School in Monterey, Calif., said she did not sign her name to Maxion’s White House letter because “I had a certain amount of reservation about whether or not it needed to be bought to that level of attention.”
Denning has not “seen the kind of devastating attacks people are worried about,” and she hasn’t “seen terrorists actively pursing” the Internet as a weapon. Clarke, Denning added, is right to point out the “vulnerabilities in our infrastructure that could be exploited” by everyday hackers and admitted that “bad things could happen.” But “until those things do happen, no one knows what the cascading effect might be.”
Another skeptic, George Smith, is more harsh in his appraisal of Clarke’s admonitions.
“I can’t think of a single Clarke prediction or warning that was right or of any lasting value,” said Smith, senior fellow with Alexandria, Va.-based defense think tank GlobalSecurity.Org.
He added: “In 2003, it takes no great intellect to say the nation is in great danger from the electronic frontier. The fantastic claim always gets attention, diverts the mind from thornier but mundane problems … Far easier to say al-Qaida is looking to turn off the power. You don’t ever have to prove if there is even a small nugget of truth to it.”
Terrorists, Smith said, “are interested in creating bloodshed and terror. The Internet doesn’t rise to this level of impact in a way that a truck bomb does.”
Referring to the e-mail virus that has been plaguing computer systems of late, Smith argued that “you can get three or four hundred copies of SoBig in your e-mail box a day — a thousand, two thousand — and it just has no physical impact no terror juice to it.”
But Clarke, who was in Pittsburgh yesterday to speak at a computer intrusion detection conference, said he has been in this position before, warning of national security threats that some would not take seriously. Clarke, a counterterrorism coordinator under President Clinton, was among those who worried about Osama Bin Laden’s capabilities before the events of 9/11.
“An awful lot of people, unfortunately, don’t believe (a cyberattack) will happen,” he said. “And as with terrorism itself, we learned from 9/11 that you can yell and yell and yell and imagine something happening and say it is going to happen, as I did with regard to al-Qaida, and no one believes you enough to act until it happens.”
As for al-Qaida, Clarke claims that some of its followers have master’s degrees in computer science, and that “there is lots of evidence that al-Qaida has downloaded sophisticated hacking tools because we have seized their computers and know what’s on them. So, I do think there is grounds for concern.”
But focusing on al-Qaida is missing the point, he said. “I don’t think it is terribly important who the enemy is. It doesn’t matter. What you need to worry about is the vulnerabilities.”
There are some encouraging signs that the country may be safer from cyberattacks than it was before 9/11, according to Clarke.
There is anecdotal evidence, he said, that the companies that control much of the country’s electric power generators, telecommunications lines, rail terminals and shipping containers are taking the voluntary security steps asked of them in Bush’s National Plan for Protecting Cyberspace, developed by Clarke and released earlier this year.
Bush’s plan relies on U.S. business, rather than the federal government, to shore up the nation’s computer security infrastructure. Clarke, in fact, came to Pittsburgh twice last October to drum up support for the plan, making the point that for U.S. businesses the increased costs of preparing for an attack do not have to drain a company’s productivity.
Some critics, responding to requests from the Bush administration that U.S. firms make themselves more secure, argued that companies have little incentive to pay for such measures in a slow economy.
Others said the plan itself lacked federal firepower.
“If (Clarke) had made it to correspond with the urgency of his warnings, it would have been a strong strategy with teeth in it, capable of compelling the private sector to improve security practices in many different ways,” said Smith, the senior fellow with think tank GlobalSecurity.Org. “However, when unfurled, it had no power. It might as well have not been written.”
But Clarke maintained yesterday, in an interview, that U.S. companies and the federal government are spending more money on cybersecurity and that the viruses that plagued computers this summer are forcing CEOs to pay more attention to the problem. Clarke, during his speech yesterday at CMU, even expressed confidence that this issue is making its way into pop culture, citing the recent movies “Terminator 3” and “Matrix Reloaded.”
In the latter, Keanu Reeves’ character Neo takes a tour of Zion, the last human city to survive outside the computer-generated Matrix, and is told that Zion’s citizens do not think about the machines that power the city until the machines stop working.
Paraphrasing Neo, Clarke said, “People need machines. But, machines need people, too.”
“[James A. Lewis of the Center for Strategic and International Studies] said the memory of Sept. 11 looms large for many of the lawmakers pushing cybersecurity legislation,” reads The Hill piece from March 17.
From the point of view of judgment by reputation, you would take whatever Joe Lieberman says and, for safety’s sake, put it in the trash.
The Pittsburgh newspaper piece was extracted from the archive of the old Crypt Newsletter website at NIU.
Permalink
Posted in Crazy Weapons, Culture of Lickspittle, Cyberterrorism at 9:11 am by George Smith
Today I’m reprinting material from many years back, a piece I wrote for the Wall Street Journal, and a bit from Rob Slade’s old Springer-Verlag book on computer viruses.
This in an add-on to the Voice of America blog post on cyberwar and Iran falling prey to the now over twenty year old joke.
Indeed, the editors and reporter Doug Bernard at Voice of America could have avoided the entire thing.
In e-mail yesterday, one of the sources for the story — it’s not too hard to figure out who (look for the “cyber doom” quote) — remarked in e-mail he would have warned VOA’s journalist about it if it had been mentioned in interview — but it wasn’t.)
VOA News did not respond to two of my notifications to them on the matter.
The Gulf War virus hoax story remains relevant, even though I wish it didn’t, simply because the nature of it plays so well to mainstream discussions on cyberwar. Almost all these greatly rely on exaggeration, fantastic claims and the painting of apocalyptic scenarios which make the alleged discombobulation of an Iraqi air defense system in 1991 seem quaint.
Paradoxically, even though no computer virus experts take the Desert Storm tale seriously, much more recently security researchers have worked to reveal vulnerabilities to malware in modern printers. For laymen who would stumble across the old 1991 joke repackaged as a new revelation from history, the distinction between a joke and what is actual research disappears.
Once again, such stories rely a flaw in American thinking — the belief that if bullshit is passed by enough sources it becomes not-bullshit. Or that “truth is a matter of majorities” — more specifically, those you choose, to quote Andrew White again.
Again, since the Gulf War virus hoax writings are now so old, you can’t find the originals on the web. (Well, you can find some material but it’s not at the fingertips.)
Reprints begin below.
Truth is the first casualty of cyberwar by George Smith, Wall Street Journal, September 8, 1998.
Reprinted with permission of The Wall Street Journal c 1998. Dow Jones & Company, Inc. All rights reserved.
Concern is growing in many quarters that society’s reliance on computers has made it extremely vulnerable to attack via keyboard. Journalist James Adams has written a new book, “The Next World War,” which claims that information warfare will be the battleground of the future. At the Pentagon, military theorists ponder how to defend America against hackers in the employ of a foreign power who might use the Internet to turn off the electricity, paralyze the armed forces, cause corporations to crumble and write dirty words on your Web site.
Before you run screaming from your computer and haul the old manual typewriter out of the closet, look closely at the source of these cyber-scares. It turns out that many of them are information-age ghost stories that get spookier with every telling.
Mr. Adams’s book passes along a couple of hoary tales. The first revolves around the idea that the National Security Agency developed a computer virus for use in the Gulf War. Supposedly secreted in the hardware of computer equipment destined for Iraq–printers, in the most popular variation–the virus was somehow designed to bushwhack Iraqi air defense computers hooked to the same network. This is implausible on its face: A printer has neither the hardware space nor the capability to spontaneously transmit programs, which is what computer viruses are, to other computers on a network.
The printer-virus story is very similar to an April Fool’s joke published in a 1991 issue of Infoworld magazine. The story was subsequently picked up in “Triumph Without Victory,” U.S. News & World Report’s book on the Gulf War. Many have fallen for it besides Mr. Adams. In 1997, a Hudson Institute researcher gave it credence in an analysis of “Russian Views on Electronic and Information Warfare.”
The second beguiling myth perpetuated by Mr. Adams and many others is that of the electromagnetic pulse gun. Since at least 1992, teenage hackers desperate for media attention have been spinning elaborate tales about this exotic weapon, usually said to be cobbled together out of a few hundred dollars worth of electronic trinkets, radio antennae, bailing wire and automobile batteries. This electronic rifle is allegedly capable of destroying computers by firing an assortment of electromagnetic waves. Mr. Adams reprints part of a 1996 interview in Forbes ASAP in which a hacker insists these are the “poor man’s nuke.” At a hackers’ convention in Las Vegas, one participant– appropriately named “Ph0n-E”–even showed off a bogus contraption that he claimed was a pulse gun.
Obviously, the genesis of this idea lies in a 1962 nuclear test whose electromagnetic pulses famously blocked radio communications. But no one has been able to overcome the basic physics problem of packing these pulses into a gun: Any such weapon would have an effective range of only a few feet while requiring a power supply so large it would severely burn, if not kill, whoever fired the weapon.
Indeed, no genuine pulse gun has ever been produced for examination. But that hasn’t stopped Congress’s Joint Economic Committee from holding two unintentionally amusing hearings, in June 1997 and February 1998, on the matter. Apocryphal claims have even spread that unnamed British financial institutions have had their computers electrocuted by such weapons.
Some other cyberwar myths making the rounds:
In 1997, Sen. Daniel Patrick Moynihan’s commission on reducing government secrecy issued a report containing a chapter devoted to computer security. In a boxed-out quote, the commission uncritically reported: “One company whose officials met with the Commission warned its employees against reading an e-mail entitled Penpal. . . . Although the message appeared to be a friendly letter, it contained a virus that could infect the hard drive and destroy all data present.” Actually Penpal is a notorious Internet hoax. In this instance, the pranksters took in a commission whose members included former intelligence agency chiefs John Deutch and Martin Faga. The spring issue of the U.S. Army War College’s scholarly journal, Parameters, contained an article by Lt. Col. Timothy L. Thomas that soberly mentioned a computer virus called Russian Virus 666 allegedly capable of putting computer users into a trance in which they could be made to suffer from arrhythmia of the heart. The virus’s satanic name should have been a tip-off. Yet while no one would give credence to a military publication that wrote about, say, salvaging weapons technology from UFOs, readers seem to leave logic behind when the subject is computers. In the December 1996 issue of the FBI’s Law Enforcement Bulletin, two academics, Andra Katz of Wichita State University and David Carter of Michigan State, discuss the “Clinton virus” which was “designed to infect programs, but . . . eradicates itself when it cannot decide which program to infect.” To the chagrin of the authors, the indecisive “Clinton virus” was revealed to be another Internet joke.
Oh well, look at the bright side: Cyberwar is cheap. Dueling jokes, myths and hoaxes cost almost nothing to produce and even less to spread.
Mr. Smith is the editor of The Crypt Newsletter, an Internet publication about computer crime and information warfare.
A lot, but by no means all, of the old Crypt Newsletter can be found here in the Wayback Machine.
Computer security and virus expert Rob Slade also addressed the Gulf War virus hoax in his book, forthrightly entitled “Rob Slade’s Guide to Computer Viruses,” published by Springer in 1995.
In a section on virus myths:
In early 1992, there were reports of a virus that shut down Iraq’s air defense system during Desert Shield/Storm. This seems to have started in Triumph Without Victory … and the serialization of the book by US News and World Report. The articles were rerun in many papers … and the article on the virus that ran in my local paper is specifically credited to US News & World Report. The bare bones of the article are that a French printer was to be smuggled into Iraq through Jordan; that US agents intercepted the printer and replaced a microchip in the printer with one reprogrammed by the NSA; and that a virus on the reprogrammed chip invaded the air defense network to which the printer was connected and erased information on display screens when “windows” were opened for additional information on aircraft.
[Longer technical discussion omitted.]
There is … a much more telling piece of evidence supporting the mythical status of what became known as the Desert Storm virus. Infoworld (April 1991) carried an article reporting a computer virus that US authorities had used to shut down Iraqi computer systems. The Infoworld article, to careful readers, an obvious April Fool’s joke (supported by the name of the virus, AF/91). The article ended with the warning that the virus was out of control and was now spreading through system in the Western world. It was a spoof of the new Windows 3 program, the popularity of which was startling industry analysts.
Although the Triumph Without Victory story was confirmed by sources in the Pentagon, the similarities to the Infoworld AF/91 prank article are simply too great. This is obviously a case of official “sources” taking their own information from gossip that had mutated from reports of the joke …
One of the other rules of thumb in thinking critically on these matters: Extraordinary claims require extraordinary evidence, not just someone’s say so.
Permalink
03.20.12
Posted in Crazy Weapons, Culture of Lickspittle, Cyberterrorism, Phlogiston at 10:03 am by George Smith
Voice of America has opened up a new blog called Digital Frontiers.
Reads the banner: “This is the first of a series of Digital Frontiers features, exploring how international tensions translate to the online world.”
That’s nice.
VOA journalist Doug Bernard, writing from Washington, DC, in the first post from Digital Frontiers, leads with:
On January 17th, 1991, as the 34-nation coalition of Operation Desert Storm prepared for its first aerial bombardment of targets in Iraq, the U.S. military sprung a surprise.
Iraqi radar screens suddenly blinked and went dark, momentarily blinding Saddam Hussein’s military. The “Kari??? radar control system had been infected with a computer virus, planted and controlled by the Pentagon. “It was a French system,??? notes intelligence historian Matthew Aid of the Iraqi radar control. “They gave us the schematics and we found a way to insert some buggies into their system as the first wave of American bombers streaked toward Baghdad.???
It worked brilliantly. Iraq’s defenses were paralyzed, allied bombers faced no serious opposition, and the U.S. became the first-ever nation to launch a documented cyber-attack.
In a post entitled, “The Coming Cyberwar with Iran?” the piece goes on to muse about what is and what is not real about cyberwar.
Yes, there is some irony in the hard stone that the very first example of a real cyberattack used is a now notorious joke in computer security circles.
Now, to save on the heavy lifting, I’ll just repost the rundown on it, publsihed at Symantec’s SecurityFocus website, back in 2003:
Did U.S. infowar commandos smuggle a deadly computer virus into Iraq inside a printer? Of course not. So why does it keep getting reported?
“ Many have been enthralled by the Gulf War virus’ siren call, almost all in efforts to hold up some proof of the magical power of information warfare. ???
A creepy enthusiasm for tales of weird weapons rises as war approaches … In this environment, where everyone charges full speed ahead for the hot scoop or astonishing apocrypha, even the oldest hoaxes can return for one more bow.
In a February piece for the Memphis Commercial Appeal, a retired air force man mused on the subject of information warfare and how it might be used to strike Iraq down. Dabbling in a little history, the author recounted how in Gulf War I the U.S. drew up plans to take down an Iraqi anti-aircraft system with “specially designed computer viruses [to] infect the system from within. Agents inserted the virus in a printer shipped to an Iraqi air defense site.”
Special Forces men were also said to have infiltrated Iraq, where they dug up a fiber-optic cable and jammed a computer virus into it. “It remained dormant until the opening moments of the air war, when it went active…” wrote the columnist. Iraq’s air defense system was vanquished.
Frankly, this is a great story. It’s amusing to remember how it kicked up a storm in 1991 after its initial appearance as an April Fool’s joke in Infoworld magazine.
The gag asserted the National Security Agency had developed the computer virus to disable Iraqi air defense computers by eating windows — “gobbling them at the edges…” The virus, called AF/91, was smuggled into Iraq through Jordan, hidden in a chip in a printer — the latter being a distinguishing feature of many subsequent appearances of the hoax.
Chat board gossip on it echoed for days, not only from people who thought the joke quite funny, but also those who missed the original citation and engaged in laborious discussion on the imagined technology of the virus.
Inevitably, a large media organization got wind of the story and pounced without bothering to track down the tale’s provenance.
U.S. News & World Report published news of the Gulf War virus in its coverage of the war, a narrative that also found its way into “Triumph Without Victory,” the magazine’s subsequent book on Desert Storm.
The Gulf War virus, wrote U.S. News, attacked Saddam’s defenses by “devouring windows” Iraqi defenders used to check on aspects of their air defense system. “Each time a technician opened a window … the window would disappear and the information would vanish.” The virus was “smuggled to Baghdad through Amman, Jordan” in chips inside a printer.
From there, the bogus story was reported by the Associated Press, CNN, ABC Nightline, and newspapers across the country.
When queried about the tale’s uncanny resemblance to the Infoworld joke, Brian Duffy, the primary author of the U.S. News article (and now executive editor of the magazine) stubbornly defended his sources — “senior officials” all. In a follow-up Associated Press article outlining the imbroglio, Duffy maintained he had “no doubt” that U.S. intelligence agents had carried out the Gulf War virus attack, but admitted similarities to the Infoworld joke were “obviously troubling.” Duffy’s sources, were, of course, anonymous.
Many have been enthralled by the Gulf War virus’ siren call through the decade, almost all in efforts to hold up some proof of the magical power of information warfare.
In the March 1999 issue of Popular Mechanics magazine, in a piece on cyberwar, the publication wrote: “In the days following the Gulf War, stories circulated that [cyber] weapons had been unleashed on the Iraqi air defense system.” The nefarious printers were again used containing “chips [with] programs designed to infect and disrupt…”
A Hudson Institute analyst peddling a paper on Russian thoughts on cyberwar fell for it and when confronted aggressively argued that it was true because, well, just because. [As a result, she fell into disrepute and never published much again.]
Other appearances include an allegedly seminal book on computer combat entitled “The Next World War.” In this instance, the miraculous Gulf War virus failed to do its job because the U.S. Air Force accidentally bombed the building where Iraq stored the virus-laden printers. The author went on to found an infosecurity firm known for its publicity-happy hyperbolic proclamations on cyberwar. [The firm eventually declared bankruptcy.]
Why was the hoax so successful?
The easy answer is to simply call everyone who falls for the joke a momentary idiot. But the Gulf War virus plays to a uniquely American trait: a child-like belief in gadgets and technology and the people who make them as answers to everything. Secret National Security Agency computer scientists made viruses that hobbled Saddam’s anti-air defense without firing a shot! Or maybe it didn’t work but it sure was a good plan!
In this respect, the joke is ageless. People are just as able to nebulously theorize about the tech of it and its implications in 2003 as they were in 1991. Will an updated version of the nonexistent AF/91 virus be used against unwired Iraq? Stay tuned… April 1st is less than a month away.
Now over two decades old you can still find uninformed US military men, who’ve read about the alleged thing in some “authoritative” source that passed it on years ago, passing it on while adding their own measure of brio.
In the same way myths and apocryphal stories pick up additional dander over time: “They gave us the schematics and we found a way to insert some buggies into their system as the first wave of American bombers streaked toward Baghdad.”
Thrilling!
“The term cyberwar is really just a marketing gimmick,” says the same man, peddling a book “considered the definitive history of the super-secret National Security Agency, or NSA.”
Well, they all get an “E” for effort.
Permalink
03.19.12
Posted in Crazy Weapons, Cyberterrorism at 12:34 pm by George Smith
Today the Post ran a piece on development, or the lack of it, of cyberweapons by the US military. The US government still spends way more on cyberdefense.
The quote worth a box out and coming as no real surprise to blog readers:
“To affect a system, you have to have access to it, and we have not perfected the capability of reaching out and accessing a system at will that is not connected to the Internet,??? said Joel Harding, an independent consultant who is a former military officer and former director of the Information Operations Institute.
Even if an operator gains access, he said, “unless you already have custom-written code for a system, chances are we don’t have a weapon for that because each system has different software and updates.???
The reporter runs down a small list of incidents from wars in last few years which may have involved cyberweapons, all with iffy, virtually non-existent or mixed results. Almost all the sources are anonymous.
In what must be seen as progress the Gulf War printer virus April Fool’s joke is not used as one of them.
“Some experts believe that Israel may have used a cyberweapon to blind Syrian radar before bombing a suspected nuclear facility in September 2007, but several former U.S. officials say that the technique more likely used was conventional electronic warfare or radar jamming using signals emitted from an airplane,” reads the Post.
However, in many circles, belief in a magical quality for cyberweapons remains strong. It has to do with American society, and I summarized it in 2003 when writing about the longevity of belief in the Gulf War virus hoax:
[The] Gulf War virus [played] to a uniquely American trait: a child-like belief in gadgets and technology and the people who make them as answers to everything.
Permalink
03.09.12
Posted in Cyberterrorism at 2:27 pm by George Smith
Yesterday’s cyberwar news revolved around a report issued by the U.S.-China Economic and Security Review Commission.
The government commissioned Northrop Grumman to do the report.
Northrop Grumman is a big arms manufacturer and one part of its business model is now the selling of cybersecurity/cyberdefense contracting to the the US government.
For the last ten years, at least, the US government had regularly outsourced threat assessment to the defense and national security companies providing defense against the threats assessed.
It’s a terrible conflict of interest but it’s the way things are. Set in impervious stone, there is no way to change it.
The cynic could view it as just a practical dealing with the ways of the defense machine. If the government went to the trouble of hiring and paying its own people to do the job, they’d sooner rather than later wind up doing the same thing for a contractor, selling the product back to the government at not-so-cheap prices, anyway. The government has become a stop on the way to the private sector, a shop where you can arrange things so that when you hit corporate America, you know what buttons to massage and who to grease to get a share of the national spoil for your firm.
So why even bother with the pretense of having an in-between stage of allegedly independent employees doing it?
Having put this to electrons, the report is here.
For what it is, it’s rather modest, particularly in comparison with the press spawned.
It spends a lot of print mapping the cybersecurity training and defense structures in the Chinese government, academia and the private sector, so far as they can be determined from the public record.
In this, readers see a simple mirroring of the government, private sector and academic interest in cybersecurity and the topic of cyberwar in the US. Nothing more, nothing less.
A final section of the report deals with security concerns over supply chains and alliances between Chinese state-sponsored businesses and the information technology industry in the US.
The report presents the problem of determining whether or not chip manufacturing, now almost all done in a distributed manner overseas. (The report calls it “fabless” manufacturing — the companies that are the suppliers and brand manufacturers now simply being fronts for ships which aggregate finished goods, parts and processes from all over the world.)
At this point in time, it’s impossible to secure. However, it’s also so complicated that there is no one person, or group of people, or central repository, that can map it. There are always people, or agencies, which insist they do. They’re almost always lying or exaggerating for their own purposes.
The complexity of this network defies securing. It also is problematical for those who, according to US suspicions, might wish to exploit to embed trojan horses and malicious products all over the US. More complexity seems to always breed more vulnerability. It also makes it so less and less people accurately grasp the entire picture, including experts.
Attackers can no more determine whether poisoned products will wind up in critical areas, or if they will wind up anywhere important at all, any more than defenders.
Easier to have someone on the inside of a very specific target, ready to add a contaminated device, perhaps ala Stuxnet.
And far easier to just try and get into network points from the web.
The Seattle Times published a piece that, like the rest of the news generated on the report, overstated it by sins of omission and commission.
Some excerpts:
For a decade or more, Chinese military officials have talked about conducting warfare in cyberspace, but in recent years they have progressed to testing attack capabilities during exercises, according to a congressional report to be released Thursday …
The Chinese military conducted an exercise in October involving “joint information offensive and defensive operations” and another in 2010 featuring attacks on communications command-and-control systems …
American officials have stated that the Chinese have penetrated the U.S. electric grid and that they have gained access to U.S. government and corporate networks.
In other words, the Chinese are running cybersecurity/cyberwar/penetration testing exercises in the same way the US has done, through the public and private sector, for many years.
As for the Seattle newspaper’s insertion of a sentence on the electrical grid, it’s stock sloppy repetition of received wisdoms and does not really reflect much that’s actually in the Northrop Grumman report. The arms manufacturers analysts make only one mention of the US power grid and taking it down through cyberwar.
One Chinese technical report — that’s one — is cited as having discussed the topic. And there is none of the usual theorizing and empty claims about what could be done to the power grid. It’s a bit of a contrast with the usual way the subject is handled.
In this it shows a slightly refreshing break from the usual official cant on the matter. A small favor, perhaps.
Permalink
03.05.12
Posted in Culture of Lickspittle, Cyberterrorism, Imminent Catastrophe at 12:11 pm by George Smith
The idea that hackers — now to mean Anonymous, the Chinese, or any other alleged enemy of the US anywhere in the world, can turn out the lights from the Internet is pervasive.
There isn’t a week that passes without some media outlet publishing a story or running a televised news segment mentioning it.
All this despite any extraordinary evidence in support of the extraordinary claims.
It is a claim abused by government and corporate security men using arguments from authority.
The power grid can be taken down because many important people say so. And the more people say so, the more true it must be.
However, a recent Government Accounting Office report entitled Cybersecurity — Challenges in Securing the Modernized Electricity Grid — shows the threadbare quality of the argument. For such an important issue — and we can agree that turning off the nation’s power by trivially flicking some software switches a world away is a serious matter — the report is a mere 19 pages long.
This is because the report has nothing, well, to report.
When it gets to delivering examples of blackouts caused by cyberattack it has none. Actually, it tries to use one, now part of our techno-mythology, and I’ll get to it in a minute.
Since the report can offer no examples it cites a couple instances of malware at energy facilities, not particularly remarkable news.
The first is Stuxnet, which was used to attack Iran’s uranium-enrichment program and which is thought to be a joint creation of US and Israeli intelligence. Stuxnet did not turn off the power in Iran. And most reasonable minds have now concluded that Iran has purged Stuxnet from the targeted systems.
Another example offered by GAO is the Slammer worm, a widespread malware infection that was also found disabling a “safety monitoring system” at Davis-Besse, an idled nuclear power plant in 2003.
Finally, the report reads:
Moreover, in 2008, the Central Intelligence Agency reported that malicious activities against IT systems and networks have caused disruption of electrical power capabilities in multiple regions overseas, including a case that resulted in a multi-city power outage.
The attribution is the White House’s brief Cyberspace Policy Review, published in 2009.
That report reads:
CIA reports malicious activities against information technology systems have caused the disruption of electrical power in multiple regions overseas, including a case that resulted in a multi-city power outage.
It is footnoted. However, the footnote does not attribute the CIA. Instead it points to a seller of computer security training, SANS, which announced this remarkable bit of hearsay at a security vendor conference in 2008.
Also note the GAO report does not put the White House reports claim in quotation marks. It just cut and pastes it, dropping it directly into the GAO text as if composed anew.
In any case, that single claim — although now passed through many authorities who simply repeat it over and over like dogma — has never come with any reasonable substantiating evidence.
Instead, it has simply been used in an argument that relies on the maxim that if bullshit is repeated often enough it eventually transforms into not-bullshit, no matter how scant the evidence.
It’s nature is that of a myth or a rumor.
In mulling it over it’s worth taking some time to consider an old myth — a hoax, actually, from antique America, one involving the story of the Cardiff Giant.
Unlike the claim about shutting down the power in faraway places, the Cardiff giant actually existed. It was stone sculpture, unearthed at some farm in upstate New York, taken by many as a fossilized example of a race of giants that had once walked the land.
Andrew D. White, the first president and founder of Cornell, wrote about the Cardiff hoax in his autobiography and the parts relevant to this discussion are here.
Wrote White:
Entering, we saw a large pit or grave, and, at the bottom of it, perhaps five feet below the surface, an enormous figure, apparently of Onondaga gray limestone. It was a stone giant, with massive features, the whole body nude, the limbs contracted as if in agony. It had a color as if it had lain long in the earth, and over its surface were minute punctures, like pores. An especial appearance of great age was given it by deep grooves and channels in its under side, apparently worn by the water which flowed in streams through the earth and along the rock on which the figure rested. Lying in its grave, with the subdued light from the roof of the tent falling upon it, and with the limbs contorted as if in a death struggle, it produced a most weird effect. An air of great solemnity pervaded the place. Visitors hardly spoke above a whisper.
Coming out, I asked some questions, and was told that the farmer who lived there had discovered the figure when digging a well. Being asked my opinion, my answer was that the whole matter was undoubtedly a hoax …
Like the story about the power being offed in faraway lands, the Cardiff
giant inspired great enthusiasms in those convinced of its reality.
“The current of belief ran more and more strongly, and soon embraced a large number of really thoughtful people,” wrote White.
“I met them at their hotel and discussed with them the subject which so interested us all, urging them especially to be cautious and stating that a mistake might prove very injurious to the reputation of the regents, and to the proper standing of scientific men and methods in the state, that if the matter should turn out to be a fraud, and such eminent authorities should be found to have committed themselves to it, there would be a guffaw from one end of the country to the other at the expense of the men intrusted by the State with its scientific and educational interests …”
White’s essay on the nature of the Cardiff Giant and his observations on the belief in it make for absorbing reading, particularly in light of how various received wisdoms are accepted as stark truth in America today — a century and a half later.
It seems we haven’t gotten very far beyond the rubes in our modern techno-society:
At no period of my life have I ever been more discouraged as regards the possibility of making right reason prevail among men.
As a refrain to every argument there seemed to go jeering and sneering through my brain Schiller’s famous line:
“Against stupidity the gods themselves fight in vain.”
There was evidently a “joy in believing” in the marvel, and this was increased by the peculiarly American superstition that the correctness of a belief is decided by the number of people who can be induced to adopt it–that truth is a matter of majorities. The current of credulity seemed irresistible.
The Cardiff Giant, it should be noted, was far more substantial than the story about offing the lights in a faraway place. At least you could examine it.
“If you’re talking about terrorism in the real world where you want to blow up a dam or do some destruction, you can potentially do that remotely through a cyber attack??? — another modern Cardiff Giant believer, from last week
Permalink
03.02.12
Posted in Culture of Lickspittle, Cyberterrorism at 9:54 am by George Smith
UPDATED
The end-of-the-week ludicrous quote worth citation comes out of the RSA Security Conference, held this week in San Francisco.
The conference is full of corporate computer security big names — and a lot of total nobodies grasping at straws. It’s famous for good exaggeration and hand-waving claims made just for the sake of publicity.
From one of the nobodies, a company called Zscaler:
SCADA systems used in industrial facilities could represent a target for cyberterrorist attacks. “If you’re talking about terrorism in the real world where you want to blow up a dam or do some destruction, you can potentially do that remotely through a cyber attack,” Geide said. The technology required to do this already exists, he said.
Extraordinary claims require extraordinary evidence. Not arguments from pseudo-authority at vendor conferences.
From a New York Times blog:
Panel discussions piled fearmongering upon fearmongering. Of the more egregious examples: One RSA panel discussion about trojans, malware and targeted hacks included a slide featuring a month-old online ad for a hitman’s services. The hitman offered to “eliminate someone while keeping above suspicion??? within 30 days for $9,133. It’s still not entirely clear what this had to do with trojans, or cyberattacks, but it was scary nonetheless.
Yes, hire a hitman on the Internet.
“Professional contract killings at prices you can afford,” it reads. “Let our team of experienced contract killers make a bold statement on your behalf.”
10,806 likes on Facebook.
I was thinking of thumbs-upping it myself. Only nine-ninety five, cash money to PayPal, to join.
Coincidentally, Facebook also a favorite place for those looking to contact the alleged Internet hitman business.
Also on hand, the standard US government rep, in this case Ashton Carter, a man with an undistinguished career as a reliable water-bearer of concerned-sounding comment or weather vane for whichever way the winds blows in defense policy:
[Ashton Carter] expressed concern that neither governments nor the private sector are yet taking security sufficiently seriously.
“Cyber will overtake terrorism as the persistent gnawing kind of threat and danger.
He … said the [Pentagon’s] strategy would aim to defend both classified and unclassified networks, create technology using the DoD’s “weight and resources” and distribute it to law enforcement agencies.
Permalink
02.27.12
Posted in Culture of Lickspittle, Cyberterrorism at 4:26 pm by George Smith
When trivial e-mails show your analysts are looking at PETA for Coca-Cola, you look bad. When you look bad, your schedule clears out. When your schedule clears out, you grow a scraggly beard. When you grow a scraggly beard, people think you’re a beggar. Don’t be a corporate flunky carpetbeggar, gossiping about PETA for Coca-Cola. Use net search for good things.
One of the WikiLeaks posts from the Stratfor people doing trivial net search on People for the Ethical Treatment for Animals, for corporate flunkies at Coca-Cola. Presumably because Coca-Cola gets criticized by organizations that monitor corporate cruelty toward animals.
The post:
Hi Van,
I’m checking with our analysts to find out what information we already
have on the subject. I’ll get back to you soon with more information.
Best regards,
Anya
Van C. Wilberding [senior manager for Coca Cola] wrote:
Hi Anya,
Thanks again for your help with respect to the Korean Peninsula
situation.
We are now looking at PETA and the potential for protests at the
Vancouver Olympics and related events. (Please see the following
questions below.) We’d like to schedule a time for a conference call
with you and/or your analyst(s) on this topic.
— How many PETA supporters are there in Canada?
— How many of these are inclined toward activism?
— To what extent will US-based PETA supporters travel to Canada to
support activism?
— What is PETA’s methodology for planning and executing activism?
(Understanding this better would certainly help us to recognize
indicators should they appear.)
— To what extent is PETA in Canada linked to PETA in the US or
elsewhere?
— To what extent are the actions of PETA in one country controlled by
an oversight board/governing body?
— To what extent could non-PETA hangers-on (such as anarchists or ALF supporters) get involved in any protest activity?
Please let us know what works in terms of timing of the conference call.
Thanks again,
Van
Coca-Cola: LIVE POSITIVELY – Our Company and leaders have supported education for more than 100 years. Learn about our education programs around the world.
It’s not much of a secret that thousands and thousands of assholes work for big US corporate multi-nationals. However, it is always illuminating to see how venal they are, that they have trivial intelligence operations hiring other flunkies to provide hearsay on groups which many Americans would view as good people — or at least NOT security threats. Unless you’re Ted Nugent.
Another post:
Interesting, thanks Fred.
Fred Burton wrote:
The FBI has a classified investigation on PETA operatives. I’ll see what
I can uncover.
Sent via BlackBerry by AT&T
That’s some nugget of intel nose gold.
“[The] professional intelligence community is acknowledging us as being the gold standard of intelligence,” wrote Stratfor CEO George Friedman in another well-publicized post.
The series of PETA mails — brief.
Permalink
Posted in Cyberterrorism at 10:01 am by George Smith
Today WikiLeaks published the stolen internal e-mails of the private intelligence firm Stratfor, taken last year by Anonymous.
They are here — along with a preamble pointing out some of the archive’s highlights.
The 2012 archive is the easiest place to start. There’s much to sift, as is the nature of these types of e-mail dumps, and it will take weeks, one assumes, to tease out the most interesting bits.
Initially, among other things, it shows some corporate spying flunky using the Stratfor network to monitor the Yes Men, the well-known activist group of pranksters which has targeted various American multi-nationals. Most notably, Union Carbide/Dow, by famously posing as company officials offering redress to the victims of the lethal industrial accident in India in 1984.
One sees the Yes Men’s public itinerary, its Twitter feed and so on, copied to the representatives of the firms it has embarrassed.
Whoever’s paying for the alleged dirt — well — let’s just say they’re not getting much for their cash money. The e-mail spill makes the firms involved, like Dow, only look more trivially venal and evil than originally thought, if that’s still possible in 2012.
Also on display, an apple-polisher explaining how great it is to be an unpaid intern at Stratfor, this embedded in a longer post on an alliance with Goldman Sachs to use the firm’s insider intelligence “to trade in a range of geopolitical instruments, particularly government bonds, currencies and the like.”
One of the posts detailing it is here.
In the same mail, Stratfor head George Friedman exhorting the faithful with news of the company’s predictions to the US Marine Corps:
We have also been asked to help the United States Marine Corps and other government intelligence organizations to teach them how Stratfor does what it does, and train them in becoming government Stratfors. We are beginning this project by preparing a three-year forecast for the Commandant of the Corps. This is a double honor for us. First, the professional intelligence community is acknowledging us as being the gold standard of intelligence. Second, we are being asked to use our honest and unhedged views to support what is for Stratfor- an American company-its homeland. Again, as with StratCap, there is no tension. We will tell the U.S. government precisely what we tell our readers and we think ourselves. Our first lesson to the government is that intelligence organizations exist to make decision makers uncomfortable, not to make them feel better about their decisions. I didn’t come this far to compromise on that.
I guess it is good to know that Stratfor believes it’s mission in helping secure the homeland somehow is served by collaborating with Goldman Sachs in leveraging insider information as part of the processes the big bankster company achieved a reputation for — shady investment advice/complex financial instruments. Getting into the “Doing God’s work” game, eh?
Two other observations gained from the 2012 archive: (1) Stratfor’s kinda cheap; and (2), being perceived as a spying firm for corporate interests is bad for the reputation.
“I am not the smartest cat in the sandbox, but I showed up as an intern everyday and showed eagerness to learn and to work, and I got rewarded for it,” writes one analyst. “Just don’t want ya’ll to be discouraged by the lack of pay …”
“Our cash position is not spectacular by any means …” reads part of a memo from Stratfor’s George Friedman.
“Intelligence organizations exist to make decision makers uncomfortable,” reads the mail.
While not the US government or Bank of America, today Stratfor’s decision makers were, I suppose one can say, discomfited by WikiLeaks.
Permalink
02.23.12
Posted in Cyberterrorism at 2:49 pm by George Smith
From the Google news tab today, a bit on cyberwar from National Defense magazine, a trade pub no one reads except war profiteers and those readying themselves for a career in the same while in service to the government. In other words, a mag for the revolving door biz.
Entitled “What If There Were a Cyberwar and Nobody Knew About it?” — it actually looks to date from 2009, initially as a news piece on Martin Libicki’s Cyberdeterrence and Cyberwar.
Financed by the Air Force and published through the Bland Corporation RAND, the book was a working example of the insubstantiali nature of the cyberwar argument.
Three years old, it still has nothing to hang its hat on except the advent of Stuxnet.
Cyberwar hasn’t shown up in any big way in the intervening three years although you wouldn’t know it from reading the US press. Still, by contrast with what passes for discussion today, the book was cautious for its time.
Some standard lines, excerpted, the kind that everyone repeats so they can have a career in the national security apparatus:
Another reason why the public may not be informed of a cyberwar is the risk that a third party could insert itself into the conflict. If the United States and China were engaged in such a war, for example, a hacker — someone sitting on a couch in a basement somewhere — or a third nation interested in seeing a prolonged conflict, could surreptitiously launch computer assaults and escalate the war.
“An exchange of cyber-attacks between states may also excite the general interest of superpatriot hackers or those who like to dogpile — particularly if the victim of the attack or the victim of retaliation, or both, are unpopular in certain circles,??? Libicki wrote in the book, which was commissioned by the Air Force. The two adversaries may blame each other for the attacks, and not be aware that they are being manipulated.
So how good is the United States [at cyberwar]? It’s cyber-offense capabilities have been largely kept out of the public eye. Libicki didn’t want to reveal much in a nonclassified setting, saying only that, “We’re really good. … In fact, I think we’re better than anybody else. We’re also very professional about this. The state of our tradecraft is very good.???
None of this is new. The US has been said to be the best at cyberwar for years. It can’t be helped. Even though there’s no metric, people who work within the system are expected to brag about the skill of it.
We’re always the best at everything, particularly when your future prospects depend upon you saying so.
And one can see hanging consequences on hackers, for something say — that theoretically might happen between the US and the many cyber-enemies, like China, has been talked about for awhile.
If you download the book — RAND makes it available free in .pdf (no link, easy enough to Google), the paucity of old material on which to base a discussion becomes apparent.
There are, naturally, no instances of the power grid being interrupted, no examples of water being poisoned or corrupted, no examples of the financial system being subvert, now the big laugher in the bunch.
There are eight instances of the word “blackout,” none of them linked to anything actual, although one does find in the footnotes the old media stories, since evaporated into ephemera, which originally claimed otherwise.
Two examples, again neither amounting to much and quickly disregarded are seen: the Slammer worm, which some reporters tried to tie to the Northeast blackout in 2003. The news piece cited was written by a journalist I once shared a stage with at the Cato Institute.
His record since has not been good.
The other bit is a story about Chinese hacking of the power grid, pumped by Shane Harris at the National Journal, and a subsequent alleged blackout in Florida — an incident virtually no one believes.
Permalink
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »