Hey,
In Dec/98 the Centre For Strategic and International Studies (CfSIS)
released a report entitled
Cybercrime...Cyberterrorism...Cyberwarfare -
Averting an Electronic Waterloo . In this short volume Frank
Cilluffo et al. maintain that US computer networks are dangerously exposed
to online sabotage and that the situation requires urgent redress.
In some respects I would be gratified to have confirmation of their claims
(as when the authors warn : "Cyberterrorists, acting for rogue states or
groups that have declared holy war against the United States, are known to
be plotting America's demise as a superpower.") Still, leaving aside the
question of the desirability of some of the scenarios conjured by
Cybercrime it must be asked, how plausible are they? The cogency of
this question comes from the fact that Cybercrimes not only
purports to identify risks but also propounds a scheme for neutralizing
them which entails an expansion of the already sweeping powers of state
security forces.
Certainty is bound to be elusive when dealing with a system as massive as
the Internet and further vagaries are introduced when one lumps in the
various Intranets (about which, by definition, information is restricted).
Nonetheless one can be fairly confident in supposing Cybercrimes to
be wildly overblown.
Cybercrimes came to my attention when an executive summary of it
was posted to the MAI-NOT
list. The person who filed it expressed doubts
of its soundness on the grounds that it was produced by a corporate-funded
think tank, and her investigations of institutes of this sort have
revealed the heavily tendentious nature of their output.
Logicians classify as fallacious syllogisms of the type : "Joe says taxes
on the rich should be reduced; Joe is rich and would benefit from such a
reduction; therefore Joe is biased and his argument worthless". However,
though a proposition cannot be refuted merely by showing that its
propounder stands to gain from the adoption of the measure advocated it is
entirely rational to be suspicious in such circumstances.
The chair of the CfSIS project which commissioned Cybercrimes was
William H. Webster, former Director of the Central Intelligence Agency
(CIA). Cybercrimes outlines a five-point program to "[p]repare U.S.
intelligence for Information Age threats" which advocates augmentation of
the existing intelligence agencies. As the CIA has presented false
information even in the recent past in hopes of aggrandizing itself one
may well question whether the findings in Cybercrimes are
disinterested.
(The CIA portrayed itself as embarrassingly caught by surprise when
Pakistan detonated a nuclear device last year and asked Congress for a
large increase in funding so as to be better prepared in future. However,
Fairness and Accuracy in Reporting has revealed that the CIA actually knew
well in advance about the impending explosion.)
Misgivings of this sort led me to seek other writings on the subject.
Somewhat serendipitously I came across George Smith's "An Electronic Pearl
Harbor? Not Likely" . "Electronic Pearl Harbor" was published in the
Fall/98 edition of Issues in Science and Technology Online, an
organ of
the National (i.e. US) Academies of Science and of Engineering (a
reputable source if ever there was one.) As it predates the appearance of
Cybercrimes Smith's article is not, of course, a direct rebuttal of
the
book but it offers a levelheaded critique of just the sort of
fearmongering that Cybercrimes is redolent of.
Smith first calls into question the general reliability of government
agencies in assessing the dangers of online "warfare". A particularly
damning example which he gives is that of a report prepared by the FBI in
1996 for the use of other law enforcement agencies. Smith's account can
scarcely be improved upon so I will quote from the source :
A virus called "Clinton," wrote the authors, "is designed to infect programs, but...eradicates itself when it cannot decide which program to infect." Both the authors and the FBI were embarrassed to be informed later that there was no such virus as "Clinton." It was a joke, as were all the other examples of viruses cited in the article. They had all been originally published in an April Fool's Day column of a computer magazine.
Cybercrimes makes much of viruses' supposed potential for creating
mayhem but Smith shows that the credulity at work in the "Clinton" episode
informs this whole mania about viruses. While he does not categorically
deny the possibility that viruses could be employed by enemies to achieve
some disruption Smith makes a convincing case for why this is extremely
unlikely. Amongst other factors he points out that viruses cannot be
controlled and accordingly present equal danger to all parties, including
the instigators. He concludes pithily :
But what if, with all the caveats attached, computer viruses were still deployed as weapons in a future war? The answer might be, "So what?" Computer viruses are already blamed, wrongly, for many of the mysterious software conflicts, inexplicable system crashes, and losses of data and operability that make up the general background noise of modern personal computing. In such a world, if someone launched a few extra computer viruses into the mix, it's quite likely that no one would notice.
Smith also includes material which directly confutes the Cilluffo and co.
In Cybercrimes we are told that, "They have crashed systems from
abroad (a 16-year-old English boy took down some 100 U.S. defense systems
in 1994)".
Smith gives a much less histrionic account. He relates that it took about
a fortnight for the US Air Force to determine the identity of the youth
(one Richard Pryce, assisted at times by Matthew Bevan). As a kind of
primer for related situations in future the USAF allowed the hacking to
proceed unmolested for a few weeks, then eventually had the pair arrested.
Pryce was given a fine while prosecutor's decided charges against Bevan
were not worth pursuing.
Far from "crashing 100...systems", Smith concludes that, "Pryce and Bevan
had accomplished very little on their joyride through the Internet...Like
the subculture of virus writers, they were little more than time-wasting
petty nuisances."
With regard to online "attcks" on the Pentagon, the CfSIS maintains that
"there are tens of thousands a year". Would that it were so, I say!
Regrettably Smith notes that while the total of 250,000 hacker intrusions
annually into Department of Defence (DOD) computers is bandied about with
abandon the figure is without foundation.
Smith shows that it is based on the fact that in 1995 the DOD noted about
500 (that's right : five HUNDRED) incidents. For some unknown reason the
assumption was made that only 1/5 of 1 per cent of intrusions are
reported, giving rise to the quarter million total.
There are two major flaws in this. First, many of the so-called hacking
incidents were the product of mistakes, not subversive activity. Second,
the 0.2 % ratio used by the DOD was an arbitrary number; they could just
as easily have multiplied by a factor of a million, or a billion - or of
one.
The impression gained from "Pearl Harbor" is that US policymakers have no
real understanding of online operations. This is confirmed by journalist
Daniel Dupont in his column "Out of Site". Writing in the Jan/99 edition
of "Scientific American" Dupont notes :
In six years as a Pentagon reporter I've seen dozens of classified documents, but none of them were found on the Internet. In fact, many of the scores of military Web sites I frequent are months out-of-date and utterly lacking in anything that could compromise national security.
-http://www.sciam.com:80/1999/0199issue/0199cyber.html-
Yet Dupont relates that US Deputy Defense Secretary John Hamre was so
impressed by the supposed threat to national security posed by hackers,
etc. that he caused 1,000 US Army websites to shut down last September.
Some are still out of commission.
Albeit anonymously, sources within the Pentagon's ambit also corroborate
Smith's analysis. From issue 75 (Nov/98) of the Federation of American
Scientists' "Secrecy & Government Bulletin" :
"I certainly agree that the notion of an electronic Pearl Harbor specifically, and more generally of information warfare, has been hyped to the point of nausea," said the vice president of one intelligence contractor that has multi- billion dollar annual revenues from its work in information technology. "This is but the latest of many fads in 'the Community'," he told S&GB, "and like most of its predecessors, [it] has just enough substance to require that serious attention be paid, but not nearly as much substance as the Cassandras of the Community would have us believe."
-http://www.fas.org/sgp/bulletin/sec75.html-
It is clear that Cybercrimes is stuff and nonsense, based in large
part
on spurious evidence and dubious assumptions. Moreover, it is premised on
the equation of the military/industrial complex with national interests.
While this may be valid as realpolitik it should certainly be unacceptable
to citizens of conscience. What we should be alarmed about is not the
threat from those acting outside the law but those who use the law to
advance their own interests, and those of their patrons.
---Antoni