Fun_People Archive
25 Sep
CWD--Save the Nation; Eat a hacker
Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Sat, 25 Sep 99 04:08:49 -0700
To: Fun_People
Precedence: bulk
Subject: CWD--Save the Nation; Eat a hacker
X-Lib-of-Cong-ISSN: 1098-7649 -=[ Fun_People ]=-
X-http://www.langston.com/psl-bin/Fun_People.cgi
From: "Meeks, Brock" <Brock.Meeks@MSNBC.COM>
CyberWire Dispatch // Copyright ( 1999 // September 24, 1999
Jacking in from the "Snake in the Grass" Port:
Save the Nation; Eat a Hacker
By George Smith
CWD special correspondent
Richard Clarke, President Clinton's baleful counter-terrorism guru on the
National Security Council, has a plan to save us from computerized
terrorists. Actually, he appears to have lots of plans but we're only going
to talk about one today. And while it's not particularly original, it's a
real viper.
To save the nation from "electronic Pearl Harbor" -- you know, that nebulous
electronic doom that's supposed to be creeping toward us from out of the
gibbering dark of the Internet -- Clarke democratically "suggested" recently
that the U.S. government could change laws that are impediments to
information assurance and security.
And these impediment laws would be?
Why, just the Freedom of Information Act, as well as antitrust regulations
and liability law.
Clarke was speaking for an extended interview published in the August
edition of Signal magazine, a quasi-military trade publication whose editors
get hard-ons over Pentagon electronic technology and anything that would
aid in the smiting of the Department of Defense's alleged manifold computer
enemies. Signal is best known for an utterly weird April 1998 howler on an
alleged piece of attack software, called "Blitzkrieg," which was, the
magazine seriously told a readership of easily-gulled Pentagon contractors,
"more dangerous than nuclear weapons."
In one form or another the venomous idea to tamper with FOIA has been
bandied around in documents and studies on information warfare since at
least 1996, well before the appearance of Clarke on the cyberscene. It is
generally coupled to the linking of the military and law enforcement to
select industry "groups." The intelligence agencies, Department of Defense
and law enforcement would then share classified or supposedly sensitive
materials with these ill-defined industrial groups so they could pool
resources to quickly thwart potential "electronic Pearl Harbors."
The head of the Federation of American Scientists' Secrecy and Government
Project, Steven Aftergood, explained the rationale, or rather the lack of
it, behind screwing with the FOIA.
"Modifying FOIA is the first thing everyone thinks of," said Aftergood.
"It's the one thing everyone can agree upon."
Whenever someone in the government or military writes something on
"electronic Pearl Harbor," they have to come up with a set of
recommendations, added Aftergood. The no-brainer is to rip up FOIA, one of
the final ramparts used by citizens, as well as journalists, in the
preservation of open government.
The belief driving this, said Aftergood, is that, (1), industry won't share
any information on computer security problems with government if it isn't
shielded from FOIA because of the potential for misuse by competitors, and,
(2); "It's already too easy to obtain information through FOIA . . . which
is ridiculous."
How ridiculous?
Rob Rosenberger, a well-known independent computer security analyst and one
of the U.S. military's first information warriors, recently tried to use
FOIA to dig up some simple information about how the Air Force reacted to
the Melissa virus.
The Department of Defense has a rating system known as INFOCON. It tries,
emphasis on the word tries, to emulate the old DEFCON system in that it is
a way the military rates a threat and its posture regarding the threat.
The conditions range from NORMAL, notes Rosenberger, which means "no
significant activity ("a theoretical optimum," he notes dryly on his
website, "[that] we cannot achieve if we accept 14-yr-old hackers as a
national security threat") to ALPHA, an "increased risk of attack," -- all
the way up to DELTA, signifying a "general attack. "
INFOCON DELTA computer incidents would "undermine [DoD's] ability to
function effectively [and would create a] significant risk of mission
failure," Rosenberger explains on his website.
"INFOCON DELTA means the military treats the Internet as a battlefield,
complete with damaged PCs and smoldering mousepads," added Rosenberger.
Rosenberger's FOIA request was simple. He asked a number of Air Force
agencies what their INFOCON status was from March 15 to April 15, a window
that covered the incidence of the Melissa virus.
U.S. Air Force HQ in Europe was the only agency that answered with its
status -- INFOCON ALPHA.
The HQ Air Intelligence Agency "refused to disclose their INFOCON status"
on the grounds that "Unauthorized disclosure of such information could
reasonably be expected to cause serious damage to national security. The
document is currently classified."
The presidential support unit, the 89th Comm Squadron, "passed the buck to
HQ Air Mobility Command . . . [which] passed the buck to U.S. Transportation
Command . . . which refused to disclose such sensitive data, "the release
of which would allow circumvention and substantially hinder the effective
performance of a significant function.'"
The Air Force Office of Special Investigations didn't respond due to a
backlog of FOIA requests, noted Rosenberger.
This circle jerk of buck passing makes a mockery of the FOIA acronym:
"freedom of information Act."
And this is _before_ Richard Clarke protects us from "electronic Pearl
Harbor."
"Electronic Pearl Harbor," or EPH, in case you missed it, is a descriptor
that's been popularized by Alvin Toffler-types, ex-Cold War generals, think
tank scholars, national security mandarins, assorted corporate windbags and
too many hack journalists. Outside the Beltway, it might as well be an
acronym for "electronic propaganda and hype" since no convincing examples
of the alleged uber-menace from the Net have been seen since a first
sighting of the phrase in 1993.
Ironically, the utter lack of EPH since 1993 hasn't hindered repeated
mentions of it in the mainstream press in 1999.
Countless stories, among them Clarke's spiel for Signal, have run on the
subject this year, often seemingly the work of editors and reporters
ditching critical thinking on the subject in favor of acting like children
overcome by a joy of believing in scary stories. And although there have
been many government pointmen called upon to carry the water for EPH during
the decade, this year's prime exponent has been Richard Clarke.
Normally, the Clarke/EPH mantra goes like this: An electronic attack on the
nation could do any and all of the following -- stop water from coming out
of the taps, turn off the electricity, rob food from grocery stores, take
all of your money from the bank, disconnect 911 service, and completely
stymie the most powerful, if muscle-bound, military in the history of the
planet.
A secret 1997 Pentagon exercise called "Eligible Receiver" is offered as
proof that this is possible. Clarke invokes it for the credulous and it has
appeared literally hundreds of times in news stories on EPH since 1997.
"Eligible Receiver, " depending upon where you read about it, consists of
this:
Twenty friendly hackers, or 25, or between 30 and 35 friendly hackers, from
-- the Pentagon, the National Security Agency, or the Joint Staff, take your
pick -- proved they could take down the national power grid, take down 911
service nationwide, disrupt troop movements, buy laptops, steal laptops,
foul up the military's command structure in southeast Asia, pose as
attacking North Koreans, compromise unspecified secret computer systems,
compromise unspecified public computer systems, and all without getting
their hair mussed, using off-the-shelf software or hacker scripts trolled
from the Net.
And you thought we had problems with the Y2K issue...
Details, of course, are secret.
However, despite Pentagon propaganda claims of the amazing electronic
prowess of the "Eligible Receiver" hackers, said hackers appear to have been
absent without leave or about as effective as the concerted breaking of wind
during every significant real-world U.S. military engagement in the past
two years.
Osama Bin Laden? We sent cruise missiles, on the advice of our man, Richard
Clarke, by the way. Some of them hit the wrong target. Saddam Hussein?
Judging from empirical evidence, a man seemingly impervious to electronic
Pearl Harbor.
Slobodan Milosevic and the Serbian Army? It was "the first cyberwar,"
claimed the Pentagon's John Hamre. Hold it right there, buddy. It wasn't
Pentagon hacker hocus pocus turning out the lights and TV in Belgrade and
smashing the bridges over the Danube. Lots of cruise missiles, cluster
bombs, fancy chaff dispensers and JDAMS wrecked things the old-fashioned
way.
Having dispensed with the taxpayer-funded myth of "Eligible Receiver," the
other main proof offered by the Clarke's and EPH proponents of the nation
is citation after numbing citation, some of them apocryphal, of things like
the prevalence of computer viruses in corporate America or teenagers who
enjoy defacing government and military websites.
Consider this: To date there have been no unclassified studies, let me
repeat that, no unclassified studies, that convincingly explain in
technically sophisticated and detailed examples how precisely, for instance,
teenage hackers could suddenly gain the power to keep bombs from falling on
a Belgrade or how computer viruses, which have been infecting corporate and
government systems in good numbers for more than a decade with no more than
annoying results, could suddenly transform into weapons of mass destruction
capable of turning off the water and power nationwide.
So, let's put the whole thing in perspective. Because of a potential for
"electronic Pearl Harbor" and threats to computer security posed by
teenagers and nincompoop virus writers, which the military already won't
discuss openly even under threat of FOIA, it is necessary, says our man
Clarke, to make FOIA even more toothless. Now that's a plan!
In the late 1860's, a con man induced a farmer near Syracuse, New York, to
bury a cheap gypsum statue that had been crudely altered to resemble a
giant, fossilized man. The statue was then "discovered" and proclaimed "the
Cardiff giant," the scary remains of a specimen of a lost race said to have
wandered the hills prior to the coming of man.
Although immediately dubbed a fake by a few who smelled a rat, there was a
great deal of popular acceptance of "the Cardiff giant," which spilled over
into the news media of the time.
Andrew D. White, the first president of Cornell University and one of the
"giant's" earliest skeptics, remarked in his memoirs of the affair: "There
was evidently a 'joy in believing' in the marvel, and this was increased by
the peculiarly American superstition that the correctness of a belief is
decided by the number of the people who can be induced to adopt it."
Like "the Cardiff giant," EPH is accompanied by plenty of acceptance by the
news media and a "joy in believing" in the absence of compelling proof.
However, the people of the late 1860's didn't have to endure a Richard
Clarke attempting to tamper with open government under the guise of
protecting them from the damn bogus thing.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
George Smith, Ph.D., is editor of "Crypt Newsletter," you can contact him
at: crypt@sun.soci.niu.edu.
================================================================
EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation estimated
at more than 600,000 is now developing plans for a once-a-week e-mail
publication.
Every week, one of five well-known investigative reporters will file for
CWD. If you think your company or organization would be interested in more
information about establishing an sponsorship relationship with CyberWire
Dispatch, please contact Lewis Z. Koch at lzkoch@wwa.com.
© 1999 Peter Langston