Reliable Security Information

The 'lights out' meme and the joy of believing rubbish

The idea that hackers -- now to mean Anonymous, the Chinese, or any other alleged enemy of the US anywhere, can turn out the lights from the Internet is pervasive. There isn't a week that passes without some media outlet publishing a story or running a televised news segment mentioning it. In the US, there's something in the DNA that predisposes to belief in big claims backed up by nothing.

The claim, now a solid part of the mythology of cyberwar, is abused by government and corporate security men using arguments from authority. The power grid can be taken down because many important people say so. And the more people say so, the more true it must be.

However, a recent Government Accounting Office report entitled Cybersecurity -- Challenges in Securing the Modernized Electricity Grid - shows the threadbare quality of the argument. For such an important issue -- and I agree that turning off the nation's power by trivially flicking some software switches a world away, if you could do it, is a serious matter -- the report is a mere 19 pages long.

This is because the report has nothing, well, to report.

When it gets to offering examples of blackouts caused by cyberattack it has none. Actually, it tries to use one, now part of our techno-mythology, and I'll get to it in a minute.

Since the report can provide no examples it offers a couple instances of malware at energy facilities, not particularly remarkable news.

The first is a non-sequitur. It's Stuxnet, which was used to attack Iran's uranium-enrichment program and which is thought to be a joint creation of US and Israeli intelligence. Stuxnet did not turn off the power in Iran and it was elaborately written to target a very specific thing. Anyway, most reasonable minds have now concluded that Iran has purged Stuxnet from the targeted systems.

Another example offered by GAO is the Slammer worm, a widespread malware infection that was also found disabling a "safety monitoring system" at Davis-Besse, an idled nuclear power plant in 2003.

Finally, the report reads:

Moreover, in 2008, the Central Intelligence Agency reported that malicious activities against IT systems and networks have caused disruption of electrical power capabilities in multiple regions overseas, including a case that resulted in a multi-city power outage.

The attribution is the White House's brief Cyberspace Policy Review, published in 2009.

That report reads:

CIA reports malicious activities against information technology systems have caused the disruption of electrical power in multiple regions overseas, including a case that resulted in a multi-city power outage.

It is footnoted. However, the footnote does not attribute the CIA. Instead it points to a seller of computer security training, SANS, which announced this remarkable bit of hearsay at a security vendor conference in 2008.

Also note the GAO report does not put the White House reports claim in quotation marks. It essentially just cut and pastes it, dropping it directly into the GAO text as if composed anew.

That single claim -- although now passed through many authorities who simply repeat it over and over like dogma -- has never come with any reasonable substantiating evidence.

Instead, it has simply been used in an argument that relies on the maxim that if bullshit is repeated often enough it eventually transforms into not-bullshit, no matter how scant the evidence.

It's nature is that of a myth or a rumor.

In mulling such things over it's worth taking some time to consider an old myth -- a hoax, actually, from antique America, one involving the story of the Cardiff Giant.

Unlike the claim about shutting down the power in faraway places, the Cardiff giant actually existed. Pictures of it were taken. The Giant was a stone sculpture, unearthed at some farm in upstate New York, taken by many as a fossilized example of a race of giants that had once walked the land.

Andrew D. White, the first president and founder of Cornell, wrote about the Cardiff hoax in his autobiography and the parts relevant to this discussion are here.

Wrote White:

"Entering, we saw a large pit or grave, and, at the bottom of it, perhaps five feet below the surface, an enormous figure, apparently of Onondaga gray limestone. It was a stone giant, with massive features, the whole body nude, the limbs contracted as if in agony. It had a color as if it had lain long in the earth, and over its surface were minute punctures, like pores. An especial appearance of great age was given it by deep grooves and channels in its under side, apparently worn by the water which flowed in streams through the earth and along the rock on which the figure rested. Lying in its grave, with the subdued light from the roof of the tent falling upon it, and with the limbs contorted as if in a death struggle, it produced a most weird effect. An air of great solemnity pervaded the place. Visitors hardly spoke above a whisper.

"Coming out, I asked some questions, and was told that the farmer who lived there had discovered the figure when digging a well. Being asked my opinion, my answer was that the whole matter was undoubtedly a hoax ..."

Like the story about the power being offed in faraway lands, the Cardiff giant inspired great enthusiasms in those convinced of its reality.

"The current of belief ran more and more strongly, and soon embraced a large number of really thoughtful people," wrote White.

"I met them at their hotel and discussed with them the subject which so interested us all, urging them especially to be cautious and stating that a mistake might prove very injurious to the reputation of the regents, and to the proper standing of scientific men and methods in the state, that if the matter should turn out to be a fraud, and such eminent authorities should be found to have committed themselves to it, there would be a guffaw from one end of the country to the other at the expense of the men intrusted by the State with its scientific and educational interests ..."

White's essay on the nature of the Cardiff Giant and his observations on the belief in it make for absorbing reading, particularly in light of how various received wisdoms are accepted as stark truth in America today -- a century and a half later.

It seems we haven't moved very far beyond the critical powers of the rubes in our modern techno-society:

"At no period of my life have I ever been more discouraged as regards the possibility of making right reason prevail among men.

"As a refrain to every argument there seemed to go jeering and sneering through my brain Schiller's famous line:

'Against stupidity the gods themselves fight in vain.'

"There was evidently a joy in believing in the marvel, and this was increased by the peculiarly American superstition that the correctness of a belief is decided by the number of people who can be induced to adopt it-that truth is a matter of majorities. The current of credulity seemed irresistible."

The Cardiff Giant, it should be noted, was far more substantial than the story about offing the lights in a faraway place. At least you could examine it

The most ludicrous security quote worth citation last week came out of the RSA Security Conference, held in San Francisco.

The conference is full of corporate computer security big names -- and a lot of total nobodies grasping at straws. It's famous for good exaggeration and hand-waving claims made just for the sake of publicity. It leads to many stories that are interesting and true. Unfortunately, the interesting stories are not true while the true are frequently uninteresting.

From one of the many no-names:

" 'If you're talking about terrorism in the real world where you want to blow up a dam or do some destruction, you can potentially do that remotely through a cyber attack,' Geide said. The technology required to do this already exists, he said."

Extraordinary claims require extraordinary evidence. Not arguments from pseudo-authority at vendor conferences. Cardiff Giant believers are everywhere.

This material was originally published at Dick Destiny blog. Have something to get off your chest? Contact webmaster at dickdestiny.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed