Bush’s Cyberstrategery

The administration’s war against a bogus threat.

Seemingly innocuous movies occasionally have nasty, unintended consequences. Jaws creator Peter Benchley, for example, believes his tale of underwater mayhem has driven mankind to hunt several lethal shark species to the brink of extinction. Jodie Foster’s bawdy turn in Taxi Driver helped stir would-be Reagan assassin John Hinckley Jr. to violence. And the 1983 Matthew Broderick vehicle WarGames convinced everyone that a lone hacker can wipe out the West Coast as easily as booting up Excel.

How else to explain the credulity with which the Bush administration’s National Strategy To Secure Cyberspace was greeted last month? The 76-page document is chock full of what computer-security experts term “FUD”—geek shorthand for spreading bogus “fear, uncertainty, and doubt.” Never mind that the hype over alleged “cyberterrorism” has been thoroughly debunked, time and time again. The government’s information technology sages still trot out dubious stats in support of a looming “cyberwar,” claiming that hostile nations possess legions of computer-savvy shock troops ready to knock out New York’s electricity, zap the nation’s phone lines, or open up the Hoover Dam.

Yet here we are in 2003, and the cyberterrorism casualty list is still barren. Sure, some Serb hackers slowed down the NATO Web site during the Kosovo conflict, and a couple of Chinese hackers defaced sites in the wake of their country’s embassy being bombed. But, honestly, did either incident get you quaking in your Keds?

Still, the Bush Strategy does its best to play up the drama. It notes, for example, that “Identified computer security vulnerabilities—faults in software and hardware that could permit unauthorized network access or allow an attacker to cause network damage—increased significantly from 2000 to 2002, with the number of vulnerabilities going from 1,090 to 4,129.” Scary-sounding, yes, but virtually meaningless. The generally accepted bug rate for software is between five and 15 errors per 1,000 lines of code, which means that your typical Windows operating system probably has close to 300,000 potential “vulnerabilities.” Not every bug is exploitable, but you get the picture—mass-produced software has always been woefully insecure, and those 4,129 reported holes represent only a tiny fraction of the total.

But the increase in reported vulnerabilities is actually a good thing for computer security since it allows for patches to be designed. So this stat works against the report’s case that (as Bush writes in his intro) “threats in cyberspace have risen dramatically.” Besides, the vast majority of attacks exploit less than a dozen major vulnerabilities. If system administrators simply took the time to patch those well-publicized problems, the Strategy might have clocked in at a more readable length.

The Strategy employs some fuzzy math to amp up the peril, stating that “one estimate places the increase in cost to our economy from attacks to U.S. information systems at 400 percent over four years.” There’s no footnote as to where this estimate comes from, nor any mention of what dollar amount will be quadrupled. The report does quickly add, however, that “While those losses remain relatively limited, that too could change abruptly.”

Such hypothetical changes are a big theme throughout. The report makes a big deal out of recent worm attacks like NIMDA, then backtracks by adding, “Despite the fact that NIMDA did not create a catastrophic disruption to the critical infrastructure. …” Or there’s this nugget: “In wartime or crisis, adversaries may seek to intimidate the nation’s political leaders by attacking critical infrastructures and key economic functions or eroding public confidence in information systems.”

The notion that hackers could disrupt basic services is a favorite scare tactic of the National Infrastructure Protection Center, formed by President Clinton to combat the cyberterror menace. NIPC is also one of the most ineffectual bureaucratic agencies ever to come down the pike. (Check out this site for a full account of NIPC’s foibles.) Despite ostensibly being staffed by the nation’s best and brightest cyberwarriors, NIPC has never bothered to mention that mission-critical systems are not designed for remote operation, which makes the whole Hoover Dam scenario implausible at best. Of course, toning down the hyperbole could mean fewer funds for NIPC, so why bother? (Richard Clarke, Clinton’s cybersecurity czar during NIPC’s formative years, is responsible for one of my favorite FUD quotes of all time: “An attack on cyberspace is an attack on the United States, just as much as a landing on New Jersey.” Uh-huh.)

To be fair, law enforcement is not the only entity beating the cyberterror drum. The computer-security industry is well-versed in hyping the threat, from making their self-serving “experts” available whenever another virus hits to planting hoaxes in the press, such as McAfee’s notorious “JPEG virus” scam. Industry representatives spout ridiculously high estimates for cyberattack damages, such as the $1.2 billion price tag for the February 2000 “Mafia Boy” denial-of-service attacks; that number included the short-lived loss of market capitalization ascribed to the attacks. Microsoft (which owns Slate) is guilty of some particularly egregious FUDing. Last February, the Microsoft-led Business Software Alliance published a survey claiming that a major cyberattack would be launched against the United States within 12 months and that Uncle Sam should be sure to stock up on the latest security products. The deadline passed with nary an apology from the BSA.

But it’s the government that circulates the real doozies. Absent any actual proof of cyberterrorism’s existence, the Strategy dredges up an old myth regarding a series of 1998 attacks on the Pentagon, NASA, and several research labs. “The intrusions,” we’re told, “were targeted against those organizations that conduct advanced technical research on national security, including atmospheric and oceanographic topics as well as aircraft and cockpit design.”

What’s really being discussed here, however, is an amalgamation of several different incidents. One involves three teens—two Californians and an Israeli—who managed to hack their way into some unclassified Pentagon payroll files and some worthless dot-mil sites. Another is a shadowy Russian-based operation that the Department of Defense nicknamed “Moonlight Maze” and that the press characterized as a potential WarGames scenario—at least until DOD itself admitted that nothing of value was compromised. The last involved a gang calling itself the “Masters of Downloading,” which claimed to be able to “take control” of NASA satellites. This claim, too, was discredited. (Meanwhile in the offline world, a man posing as a CIA agent was able to tour sensitive NASA buildings for eight months before his ruse was discovered.)

None of this is to suggest that computer security isn’t a problem. Corporate networks, in particular, are far from locked-down, and economic crime is an increasing headache for e-commerce enterprises and financial institutions alike. Occasionally it seems as if every credit card number in the world will eventually wind up in the hands of computer-savvy Russian teenagers. And, yes, the Strategy does make a few smart recommendations to deal with such issues, such as organizing a nationwide program to better train system administrators.

But the bulk of the report’s solutions are lame. Most are meaningless jargon, such as suggesting that “future components of the cyber infrastructure are built to be inherently secure and dependable for their users.” A fantastic sentiment, but as mushy as stating that the president is “for the children.” What about making software vendors liable for bug-ridden products? Or rooting out insecure Microsoft products like the troubled SQL server in favor of more secure open-source solutions like OpenBSD?

Nothing so bold is forthcoming in the Strategy. Which is yet another indicator that the czars of national computer security are perfectly content to tease out the hyperbole in perpetuity. The bigger the perceived threat, the greater their importance inside the Beltway.