Antoni's Wire Service

Date: Mon, 15 Feb 1999 23:11:12 -0400 (AST)
From: Antoni Wysocki
To: Antoni's Wire Service
Subject: Cybercrime...Cyberterrorism...CyberBUNK


In Dec/98 the Centre For Strategic and International Studies (CfSIS) released a report entitled Cybercrime...Cyberterrorism...Cyberwarfare - Averting an Electronic Waterloo . In this short volume Frank Cilluffo et al. maintain that US computer networks are dangerously exposed to online sabotage and that the situation requires urgent redress.

In some respects I would be gratified to have confirmation of their claims (as when the authors warn : "Cyberterrorists, acting for rogue states or groups that have declared holy war against the United States, are known to be plotting America's demise as a superpower.") Still, leaving aside the question of the desirability of some of the scenarios conjured by Cybercrime it must be asked, how plausible are they? The cogency of this question comes from the fact that Cybercrimes not only purports to identify risks but also propounds a scheme for neutralizing them which entails an expansion of the already sweeping powers of state security forces.

Certainty is bound to be elusive when dealing with a system as massive as the Internet and further vagaries are introduced when one lumps in the various Intranets (about which, by definition, information is restricted). Nonetheless one can be fairly confident in supposing Cybercrimes to be wildly overblown.

Cybercrimes came to my attention when an executive summary of it was posted to the MAI-NOT list. The person who filed it expressed doubts of its soundness on the grounds that it was produced by a corporate-funded think tank, and her investigations of institutes of this sort have revealed the heavily tendentious nature of their output.

Logicians classify as fallacious syllogisms of the type : "Joe says taxes on the rich should be reduced; Joe is rich and would benefit from such a reduction; therefore Joe is biased and his argument worthless". However, though a proposition cannot be refuted merely by showing that its propounder stands to gain from the adoption of the measure advocated it is entirely rational to be suspicious in such circumstances.

The chair of the CfSIS project which commissioned Cybercrimes was William H. Webster, former Director of the Central Intelligence Agency (CIA). Cybercrimes outlines a five-point program to "[p]repare U.S. intelligence for Information Age threats" which advocates augmentation of the existing intelligence agencies. As the CIA has presented false information even in the recent past in hopes of aggrandizing itself one may well question whether the findings in Cybercrimes are disinterested. (The CIA portrayed itself as embarrassingly caught by surprise when Pakistan detonated a nuclear device last year and asked Congress for a large increase in funding so as to be better prepared in future. However, Fairness and Accuracy in Reporting has revealed that the CIA actually knew well in advance about the impending explosion.)

Misgivings of this sort led me to seek other writings on the subject. Somewhat serendipitously I came across George Smith's "An Electronic Pearl Harbor? Not Likely" . "Electronic Pearl Harbor" was published in the Fall/98 edition of Issues in Science and Technology Online, an organ of the National (i.e. US) Academies of Science and of Engineering (a reputable source if ever there was one.) As it predates the appearance of Cybercrimes Smith's article is not, of course, a direct rebuttal of the book but it offers a levelheaded critique of just the sort of fearmongering that Cybercrimes is redolent of.

Smith first calls into question the general reliability of government agencies in assessing the dangers of online "warfare". A particularly damning example which he gives is that of a report prepared by the FBI in 1996 for the use of other law enforcement agencies. Smith's account can scarcely be improved upon so I will quote from the source :

A virus called "Clinton," wrote the authors, "is designed to infect programs, but...eradicates itself when it cannot decide which program to infect." Both the authors and the FBI were embarrassed to be informed later that there was no such virus as "Clinton." It was a joke, as were all the other examples of viruses cited in the article. They had all been originally published in an April Fool's Day column of a computer magazine.

Cybercrimes makes much of viruses' supposed potential for creating mayhem but Smith shows that the credulity at work in the "Clinton" episode informs this whole mania about viruses. While he does not categorically deny the possibility that viruses could be employed by enemies to achieve some disruption Smith makes a convincing case for why this is extremely unlikely. Amongst other factors he points out that viruses cannot be controlled and accordingly present equal danger to all parties, including the instigators. He concludes pithily :

But what if, with all the caveats attached, computer viruses were still deployed as weapons in a future war? The answer might be, "So what?" Computer viruses are already blamed, wrongly, for many of the mysterious software conflicts, inexplicable system crashes, and losses of data and operability that make up the general background noise of modern personal computing. In such a world, if someone launched a few extra computer viruses into the mix, it's quite likely that no one would notice.

Smith also includes material which directly confutes the Cilluffo and co. In Cybercrimes we are told that, "They have crashed systems from abroad (a 16-year-old English boy took down some 100 U.S. defense systems in 1994)".

Smith gives a much less histrionic account. He relates that it took about a fortnight for the US Air Force to determine the identity of the youth (one Richard Pryce, assisted at times by Matthew Bevan). As a kind of primer for related situations in future the USAF allowed the hacking to proceed unmolested for a few weeks, then eventually had the pair arrested. Pryce was given a fine while prosecutor's decided charges against Bevan were not worth pursuing.

Far from "crashing", Smith concludes that, "Pryce and Bevan had accomplished very little on their joyride through the Internet...Like the subculture of virus writers, they were little more than time-wasting petty nuisances."

With regard to online "attcks" on the Pentagon, the CfSIS maintains that "there are tens of thousands a year". Would that it were so, I say! Regrettably Smith notes that while the total of 250,000 hacker intrusions annually into Department of Defence (DOD) computers is bandied about with abandon the figure is without foundation.

Smith shows that it is based on the fact that in 1995 the DOD noted about 500 (that's right : five HUNDRED) incidents. For some unknown reason the assumption was made that only 1/5 of 1 per cent of intrusions are reported, giving rise to the quarter million total.

There are two major flaws in this. First, many of the so-called hacking incidents were the product of mistakes, not subversive activity. Second, the 0.2 % ratio used by the DOD was an arbitrary number; they could just as easily have multiplied by a factor of a million, or a billion - or of one.

The impression gained from "Pearl Harbor" is that US policymakers have no real understanding of online operations. This is confirmed by journalist Daniel Dupont in his column "Out of Site". Writing in the Jan/99 edition of "Scientific American" Dupont notes :

In six years as a Pentagon reporter I've seen dozens of classified documents, but none of them were found on the Internet. In fact, many of the scores of military Web sites I frequent are months out-of-date and utterly lacking in anything that could compromise national security.

Yet Dupont relates that US Deputy Defense Secretary John Hamre was so impressed by the supposed threat to national security posed by hackers, etc. that he caused 1,000 US Army websites to shut down last September. Some are still out of commission.

Albeit anonymously, sources within the Pentagon's ambit also corroborate Smith's analysis. From issue 75 (Nov/98) of the Federation of American Scientists' "Secrecy & Government Bulletin" :

"I certainly agree that the notion of an electronic Pearl Harbor specifically, and more generally of information warfare, has been hyped to the point of nausea," said the vice president of one intelligence contractor that has multi- billion dollar annual revenues from its work in information technology. "This is but the latest of many fads in 'the Community'," he told S&GB, "and like most of its predecessors, [it] has just enough substance to require that serious attention be paid, but not nearly as much substance as the Cassandras of the Community would have us believe."

It is clear that Cybercrimes is stuff and nonsense, based in large part on spurious evidence and dubious assumptions. Moreover, it is premised on the equation of the military/industrial complex with national interests. While this may be valid as realpolitik it should certainly be unacceptable to citizens of conscience. What we should be alarmed about is not the threat from those acting outside the law but those who use the law to advance their own interests, and those of their patrons.