debunking the gov't - finally a good report in the media !

Started by Metgod, March 06, 2003, 10:50:32 PM

Previous topic - Next topic
This is a really good report. Finally something in the media that is saying the truth about the gov't and the so called cyber terrorism and national security risks.



http://www.msnbc.com/news/880169.asp?0si=-

Lost in cyberspace
The Bush administration's war against a bogus threat

By Brendan I. Koerner
SLATE.COM
March 3, 2003

Seemingly innocuous movies occasionally have nasty, unintended
consequences. Jaws creator Peter Benchley, for example, believes his
tale of underwater mayhem has driven mankind to hunt several lethal
shark species to the brink of extinction. Jodie Foster's bawdy turn in
Taxi Driver helped stir would-be Reagan assassin John Hinckley Jr. to
violence. And the 1983 Matthew Broderick vehicle WarGames convinced
everyone that a lone hacker can wipe out the West Coast as easily as
booting up Excel.

HOW ELSE TO explain the credulity with which the Bush administration's
National Strategy To Secure Cyberspace was greeted last month? The
76-page document is chock full of what computer-security experts term
"FUD" - geek shorthand for spreading bogus "fear, uncertainty, and
doubt." Never mind that the hype over alleged "cyberterrorism" has
been thoroughly debunked, time and time again. The government's
information technology sages still trot out dubious stats in support
of a looming "cyberwar," claiming that hostile nations possess legions
of computer-savvy shock troops ready to knock out New York's
electricity, zap the nation's phone lines, or open up the Hoover Dam.
       
Yet here we are in 2003, and the cyberterrorism casualty list is still
barren. Sure, some Serb hackers slowed down the NATO Web site during
the Kosovo conflict, and a couple of Chinese hackers defaced sites in
the wake of their country's embassy being bombed. But, honestly, did
either incident get you quaking in your Keds?
       
IDENTIFYING VULNERABILITIES
       
Still, the Bush Strategy does its best to play up the drama. It notes,
for example, that "Identified computer security vulnerabilities -
faults in software and hardware that could permit unauthorized network
access or allow an attacker to cause network damage - increased
significantly from 2000 to 2002, with the number of vulnerabilities
going from 1,090 to 4,129." Scary-sounding, yes, but virtually
meaningless. The generally accepted bug rate for software is between
five and 15 errors per 1,000 lines of code, which means that your
typical Windows operating system probably has close to 300,000
potential "vulnerabilities." Not every bug is exploitable, but you get
the picture - mass-produced software has always been woefully
insecure, and those 4,129 reported holes represent only a tiny
fraction of the total.
       
But the increase in reported vulnerabilities is actually a good thing
for computer security since it allows for patches to be designed. So
this stat works against the report's case that (as Bush writes in his
intro) "threats in cyberspace have risen dramatically."  Besides, the
vast majority of attacks exploit less than a dozen major
vulnerabilities. If system administrators simply took the time to
patch those well-publicized problems, the Strategy might have clocked
in at a more readable length.
       
The Strategy employs some fuzzy math to amp up the peril, stating that
"one estimate places the increase in cost to our economy from attacks
to U.S. information systems at 400 percent over four years." There's
no footnote as to where this estimate comes from, nor any mention of
what dollar amount will be quadrupled. The report does quickly add,
however, that "While those losses remain relatively limited, that too
could change abruptly."
       
Such hypothetical changes are a big theme throughout. The report makes
a big deal out of recent worm attacks like NIMDA, then backtracks by
adding, "Despite the fact that NIMDA did not create a catastrophic
disruption to the critical infrastructure." - Or there's this nugget:
"In wartime or crisis, adversaries may seek to intimidate the nation's
political leaders by attacking critical infrastructures and key
economic functions or eroding public confidence in information
systems."
       
COMBATING CYBERTERRORISM

The notion that hackers could disrupt basic services is a favorite
scare tactic of the National Infrastructure Protection Center, formed
by President Clinton to combat the cyberterror menace. NIPC is also
one of the most ineffectual bureaucratic agencies ever to come down
the pike. (Check out this site for a full account of NIPC's [1]
foibles.)  Despite ostensibly being staffed by the nation's best and
brightest cyberwarriors, NIPC has never bothered to mention that
mission-critical systems are not designed for remote operation, which
makes the whole Hoover Dam scenario implausible at best. Of course,
toning down the hyperbole could mean fewer funds for NIPC, so why
bother? (Richard Clarke, Clinton's cybersecurity czar during NIPC's
formative years, is responsible for one of my favorite FUD quotes of
all time: "An attack on cyberspace is an attack on the United States,
just as much as a landing on New Jersey." Uh-huh.)
       
To be fair, law enforcement is not the only entity beating the
cyberterror drum. The computer-security industry is well-versed in
hyping the threat, from making their self-serving "experts" available
whenever another virus hits to planting hoaxes in the press, such as
McAfee's notorious "JPEG virus scam." Industry representatives spout
ridiculously high estimates for cyberattack damages, such as the $1.2
billion price tag for the February 2000 "Mafia Boy" denial-of-service
attacks; that number included the short-lived loss of market
capitalization ascribed to the attacks. Microsoft (which owns Slate)  
is guilty of some particularly egregious FUDing. Last February, the
Microsoft-led Business Software Alliance published a survey claiming
that a major cyberattack would be launched against the United States
within 12 months and that Uncle Sam should be sure to stock up on the
latest security products. The deadline passed with nary an apology
from the BSA.
       
HYPING THE THREAT
       
But it's the government that circulates the real doozies.  Absent any
actual proof of cyberterrorism's existence, the Strategy dredges up an
old myth regarding a series of 1998 attacks on the Pentagon, NASA, and
several research labs. "The intrusions," we're told, "were targeted
against those organizations that conduct advanced technical research
on national security, including atmospheric and oceanographic topics
as well as aircraft and cockpit design."

What's really being discussed here, however, is an amalgamation of
several different incidents. One involves three teens - two
Californians and an Israeli - who managed to hack their way into some
unclassified Pentagon payroll files and some worthless dot-mil sites.  
Another is a shadowy Russian-based operation that the Department of
Defense nicknamed "Moonlight Maze" and that the press characterized as
a potential WarGames scenario - at least until DOD itself admitted
that nothing of value was compromised. The last involved a gang
calling itself the "Masters of Downloading," which claimed to be able
to "take control" of NASA satellites. This claim, too, was
discredited. (Meanwhile in the offline world, a man posing as a CIA
agent was able to tour sensitive NASA buildings for eight months
before his ruse was discovered.)
       
None of this is to suggest that computer security isn't a problem.
Corporate networks, in particular, are far from locked-down, and
economic crime is an increasing headache for e-commerce enterprises
and financial institutions alike. Occasionally it seems as if every
credit card number in the world will eventually wind up in the hands
of computer-savvy Russian teen-agers. And, yes, the Strategy does make
a few smart recommendations to deal with such issues, such as
organizing a nationwide program to better train system administrators.
       
But the bulk of the report's solutions are lame. Most are meaningless
jargon, such as suggesting that "future components of the cyber
infrastructure are built to be inherently secure and dependable for
their users." A fantastic sentiment, but as mushy as stating that the
president is "for the children." What about making software vendors
liable for bug-ridden products? Or rooting out insecure Microsoft
products like the troubled SQL server in favor of more secure
open-source solutions like OpenBSD?
       
Nothing so bold is forthcoming in the Strategy. Which is yet another
indicator that the czars of national computer security are perfectly
content to tease out the hyperbole in perpetuity. The bigger the
perceived threat, the greater their importance inside the Beltway.
       
Brendan I. Koerner is a fellow at the New America Foundation.


[1] http://vmyths.com/resource.cfm?id=26&page=1

"My Terminal is my Soul"

It's amazing how hard it is to get something written that states what knowledgable people say is the "obvious"

Wilnix
alt email address: wilnix@hackphreak.org

SMF spam blocked by CleanTalk