Reliable Security Information

Cult of Cyberattack

The Cult of Cyberattack made a big appearance last Sunday night. Credit 60 Minutes, the show devoting its opening segment to the standard style of be-very-afraid-whoopie-cushion news on gathering black menace.

Although it was delivered as something new and serious, I will quote from a past post -- one from two years ago to begin the putting of it in perspective:

Many years ago 'electronic Pearl Harbor' news stories were commonplace. They were always the same. A variety of mountebanks encompassing computer security software and hardware vendors, government officials and think-tanks 'experts' would be lined up to contribute to a mythology that alleged United States was about to be struck down by cyber-attack. Reporters would go into action as stenographers.

Such a cyberwar would deprive us of everything. Lights! Food distribution! Oil refineries would blow up! It would be worse than an earthquake!

For 60 Minutes, the script was changed very little.

It is not only the lights that get turned off, but also now the banks -- Wall Street.

"Admiral [Mike McConnell], the former director of national intelligence [under the Bush administration], worries about the integrity of America's money supply," reported the news program.

Here's the excerpt:

"I know that people in the audience watching this are going to say, 'Could somebody steal money out of my bank account or could somebody attack a bank that would wipe out my life savings?'" host Steve Kroft asked.

"And the answer is yes, that's possible, but that is not the major problem. The more insidious issue is, what happens when the attacker is not attempting to steal money, but to destroy the process that accounts for money? That's the real issue we have to worry about," McConnell said

Asked to describe the consequences, McConnell said, "If everybody goes down to take the money out, it's not there. So that's the issue. Since banking is based on confidence, what happens when you destroy confidence?"

Yes, what happens when you destroy confidence in banks?

Every American knows what happens. The US government bails out Wall Street with taxpayer money as the world economy is made a shambles. One year later, unemployment is surging for average Americans, although the bankers who caused the mess have again enjoyed huge bonuses.

This has, in effect, created two worlds. The one most live in like readers of this column. And the world of banks, where the outlook is swimming.

This is not what McConnell had in mind at 60 Minutes. However, it does also illustrate the split between the world where cyberwar fetishizers dwell and our own.

In the former, McConnell perhaps has no real idea how average Americans live. He left that long ago.

Now McConnell is a Senior Vice President for Booz Allen Hamilton, leading the company's "national security business unit" where one primary job is to facilitate and obtain contracts for the offering strategic advice and services on how to defend the government and banks from the cyberattacks. And on 60 Minutes, for McConnell the mischief that has tanked the economy is not brewing at home, it's everywhere else.

What could be better than to have a VP on 60 Minutes telling everyone about the lurking menace of cyberattack, being able to feature that on your homepage right next to your links for cybersecurity job staffing for positions like "Defense Intelligence Critical Infrastructure and Homeland Defense Analyst" or "Iranian Cyber All-Source Analyst"? In case that country is planning to cyberattack us.

"Booz Allen Hamilton, a leading consulting firm, helps government clients solve their toughest problems with services in strategy, operations ..." reads the website.

One sees the work afoot here. One has the right to make a good living and there is no better place to present a sales pitch refined into a story of national menace then at 60 Minutes.

For 60 Minutes, blowing up an oil refinery, which was first circulated in the late Nineties (see here) as what something China was preparing to do to the US, was rolled out, too.

"In one test, [experts] simulated how they could have destroyed an oil refinery by sending out code that caused a crucial component to overheat," reported the news show on Sunday.

"Asked what the main target would be, [national lab tester John Mulder] said: "The heating element and the re-circulator pump. If we could malfunction both of those we could cause an explosion.'"

The other two regular features present in almost all cyberattack stories over the past fifteen years are the "turn off the lights" horror story and the "stealing US military intelligence" scandal.

President Barack Obama employed the turn out the lights myth -- and I'll explain why I call it a myth in a sec -- in his nationally aired speech on cybersecurity earlier this year.

"[Cyberattacks] have plunged entire cities into darkness," said the president back in May.

And in his administration's review of cybersecurity, the claim was attributed to what was essentially a vendor-furnished press release, delivered at a security conference, a statement which claimed the CIA had confirmed to the vendor, Alan Paller, that this was so.

Specifically, the dissection of it was ably handled at vmyths here

There was no who, what, when, how or where to the story. There was not even a trace of "there" there.

That was in 2008.

And the people writing the Obama administration's review of cybersecurity thought it such a good story, they included it. Plus a citation: One which indicated a press release.

So what do you do if you are part of the Cult of Cyberattack in late 2009 and enough doubt has been tossed on the lights-out claim to make it look like you're delivering spoiled goods?

You turn up the volume, without actually providing substantial proof for an extraordinary claim.

"President Obama didn't say which country had been plunged into darkness, but a half a dozen sources in the military, intelligence, and private security communities have told us the president was referring to Brazil," reported 60 Minutes.

"Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007 ... It is not clear who did it or what the motive was."

It is another instance of an argument from anonymous authority -- "prominent intelligence sources" -- delivered through another prominent venue, 60 Minutes, unquestioningly. A few bits of information were added to the claim, but which still indicated no effort to provide substantial proof of an extravagant and astonishing claim.

And that's what myths are often made from. Something that sounds good, something which sounds superficially substantive, passed around by others passed off as authority figures. And everyone knows such things never happen, or become the driver of policy and action, in the United States.

In any case, it is just as easy to make the argument that a few 'prominent intelligence sources' and 'experts' in the 'private security community' had heard the same Brazil blackout rumour back in 2008. Which was most assuredly so, because it made a few news sources and was also widely criticized.

Then they began gossiping about it with even more colleagues. Because people love to spread good stories, particularly when such stories serve their world view.

As for the 'stealing US military intelligence' scandal, 60 Minutes reported:

"In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor," [Jim Lewis of CSIS] said. "Some unknown foreign power, and honestly, we don't know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information ... The Library of Congress, which has millions of volumes, is about 12 terabytes. So, we probably lost the equivalent of a Library of Congress worth of government information in 2007 ..."

Probably, probably.

The official "electronic Pearl Harbor" archive, which collects government expert and official claims in the news from 1993 to 2000 is here. It contains a lot of iffy "probably-like" assertions.

And In the late Nineties, the stolen information scandal was called Moonlight Maze, and here is some old writing on it.

Revisiting the Maze of Cyberattack

Moonlight Maze was an operation in which "vast amounts of technical defense research were illegally downloaded and transferred to Russia."

And those materials were? No one could say.

The London Sunday Times supplied the most influential story on Moonlight Maze in mid-1999, one that served as an inspiration for all subsequent pieces in the US newsmedia.

In Moonlight Maze, secret documents had been stolen but the US military could not determine what was in them or which ones, precisely, had been stolen. Whatever the amount, it was a lot.

Further, this information -- claimed the Times -- had been revealed at a private computer security conference by an employee of the Space and Naval Warfare Systems Command (SPAWAR).

The Times article speculated that either Russia or China could be behind the "cyberwar" that only the Pentagon could see because: ". . . Russia's relations with America have reached their lowest ebb since the cold war because of NATO's intervention in Yugoslavia. Relations with China have also suffered. An offensive in cyberspace may be their one way of retaliating without getting into a shooting war."

The London paper also speculated that Russian organized crime might be behind Moonlight Maze, and that: "China, Libya and Iraq are developing information warfare capabilities and, according to one White House official, 'we see well-funded terrorist groups that also have such capabilities'."

The London Sunday Times piece set a hallmark by which subsequent stories in the US media on Moonlight Maze could be judged:

That is, Moonlight Maze stories were recognizable by their almost complete reliance upon gossip and speculation; their complete lack of definition in the who, what and where categories; and a stupefying preponderance of anonymous sources from the Pentagon, intelligence agencies, and/or the private computer security industry speculating or expostulating for journalists.

Throughout the latter part of the summer of 1999, reporters from the mainstream media contacted me about Moonlight Maze. The story had taken on a life of its own even though there was a complete lack of substantive evidence to go on. It was clear that Moonlight Maze was going to enjoy a second lifetime in the news and, indeed, a media cascade resulted in the second week of October of that year, mostly built upon a wave of copycat reporting and inconclusive statements about the affair made in a Congressional hearing that week.

All of the reporters who contacted this author for comment had one thing in common.

They were all working from the same script. In addition to being inspired by the London Sunday Times piece, they all said or wrote that one "anonymous" source in "the Pentagon" was telling them that "Russian hackers" working off of the "Russian Academy of Sciences'" Internet domain were "involved."

"The computer assaults have given fresh impetus to measures ordered by [President] Clinton more than a year ago to protect the country's electronic infrastructure. Alerted to the threat of Moonlight Maze, the president has called for an extra $600 [million] to help fund a variety of initiatives, including [boosted investment in the National Infrastructure Protection Center]," reported the London Times in 1999.

The original collection of Moonlight Maze quote from the old Crypt Newsletter website, where I covered the affair, is here.

And that has been the pattern and strategy used by the Cult of Cyberattack:

Push stories into the mainstream media for the boosting of investment in the firms which dispense advice and services on combating the threat. Indeed, cyberattack stories can be motivated by as little as a desire to get one's name in the news for the establishment of a reputation. It is an easy way to get one's ticket punched. And since government experts and officials often have an eye toward taking a rewarding place in the world of private sector security, these are also a means of signaling that one is a good fellow for the profession and ready to work for the right team.

Indeed, if your job depends on there being a very serious, pressing and imminent cyberattack menace, then you are one of the least likely to be delivering critical thinking on the subject. In fact, just the opposite, because the business depends upon the growth of the threat of cyberattack, or just great belief in its growth, not a cold business neutral appraisal of the true extent of it.

In fact, in writing an article on digital Pearl Harbor in 1994, this writer pointed out the same, that one of the leading 'experts' predicting it was delivering these prognostications from a big defense contractor in the business of providing services to ward it off. And in a subsequent letter to the magazine in which the piece was published, an Assistant Sec'y of Defense for the Clinton administration, a man who was also a lead proselytizer on the imminence of cyberattack, objected very strongly to that.

However, it was a legitimate criticism then. And it's even more legit now.

These have always been fairly transparent and self-serving ploys. But they are of little interest to the US public in 2009. Beaten down by the shriveled economy and unemployment, there's no clamor -- no populist outcry -- for increased cyberdefense and attack spending.

There is no obvious pressing demand for it, period, other than from the security vendors and those who lease their analytic, cybersecurity and cyberwar IT workers to the Department of Defense and intelligence agencies.

By the same token, while the Cult of Cyberattack lobby is not nearly as powerful as, say, the health insurance lobby, it also comes in for much less scrutiny.

"Congress has noticed, allocating $17 billion for a top secret national cyber security initiative ..." noted 60 Minutes.

And a chunk is going to implement the Cult of Cyberattack's offensive arm by the hiring of more people to explore and develop ways of propagating badness on the Internet. As if there is not enough of that already.

Since there is no oversight of this activity obvious from the outside, many armed with common sense might be inclined to say: "Whoah, pardner. We've had enough."

However, it's unlikely this is how things will go down. Because, as in everything else, the tendency is to give in to the national urge toward inappropriate bragging, congratulating oneself about how mighty you are at cyberattack, as in all things. And that has already apparently gone to some heads. The US is in the top tier of cyberwarfighting, claimed someone allegedly important and wise for 60 Minutes

Of course, in cyberattack threat assessment -- as carried out through expert talking heads in news stories -- there are always many things said that are interesting and true. To steal a phrase.

However, those things which are interesting tend not to be true, while those which are true tend not to be interesting. And there is no easy way for laymen to sort it out.

It's supposed to be that way, you see.

Argument from authority on the nature of cyberattack and its threat to the United States has always relied on the creation of fear, obfuscation, exaggeration and frank lies to get the point across. Naturally, not everyone who shows up in the news is guilty of all these things. But after well over fifteen years of this type of abuse of the system, it's not worth the time figuring out who is and who isn't an honest broker.

This is not to say cyberspace is not fraught with trouble. Quite the opposite, only just not in the sweeping and end-of-everything scenarios and descriptions delivered by the Cult of Cyberattack. See here or here or here.

George Smith also blogs at Dick Destiny.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed