via Byline *Suppose that Richard Clarke had written a somewhat speculative book about security in 1998, and he said that, at the cost of a few airplanes and two and one-fifth buildings, Arab terrorists could bog down the USA in the longest and most expensive wars the US ever had. You think people would have sized him up as an alarmist? As an ambitious defense contractor?
*This stuff Clarke says about Microsoft is obviously factual. He’s saying things everyone knows. Maybe SCADA attacks are indeed mostly mythical, but look what’s going on in the Gulf right now. Of course vulnerable infrastructure doesn’t look like a weapon. Till it is one. Civilian airplanes and flaming skyscrapers didn’t look like weapons, either.
*The guy is a security expert. If you want your infrastructure to be up to mil-spec, you can’t use commercial off-the-shelf material that was kicked out the door as fast as it would sell. It’s a fact. Mind you, I’m not saying that government oversight necessarily improves this stuff — especially when a government’s for sale to the private sector anyway. But he is telling the truth.
*If you’ve got oil wells run by oil companies for oil companies, why wouldn’t they blow up and fall over? If you’ve got finance systems run by finance systems for finance systems, why wouldn’t they blow up and fall over, too? If governments are run by governments for the sake of governance, they blow up and fall over. It’s hard to manage complex systems, especially if you’re beset with saboteurs who can’t face you on a battlefield.
If you build huge elaborate systems on single points of failure (like, say the health of Steve Jobs), why do you claim the luxury of acting all surprised when they come apart like favela tin shacks? He’s talking factually about making these systems secure. Of course the ones we have are insecure. How could they not be? Look how they were built.
*I can perfectly well understand why that happened, and how advantageous that was for the stakeholders, and the consumers like our happy selves. But it’s cynical to dismiss this guy when he’s saying something blatantly true in an area where his expertise is both deep and hard-earned.
“Clarke takes readers through various famous cyberwar incidents, most notably the Distributed Denial of Service (DDoS) attack on Estonia back in 2007, but how bad could such events really get?
“The hypothetical answer is on page 64. There Clarke deputizes you as Assistant to the President for Homeland Security and takes you through a scenario of doom. The National Security Agency has just sent a critical alert to your BlackBerry: “Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure.”
“But by the time you get your office, one of the DoD’s main networks has already crashed; computer system failures have caused huge refinery fires around the country; (((Oh wait, oil chernobyls, strictly far-fetched alarmism, how could that possibly, no way, drill baby drill, etc etc))) the Federal Aviation Administration’s air traffic control center in Virginia is collapsing, and the hits just keep coming.
“The Chairman of the Fed just called,” the Secretary of the Treasury tells you. “Their data centers and their backups have had some sort of major disaster. They have lost all their data.” Power blackouts are sweeping the country. Thousands of people have already died. “There is more going on,” Clarke narrates, “but the people who should be reporting to you can’t get through.” (((Maybe because somebody else bought all the Google search terms.)))
File under fiction (((Look: stop being stupid. Planning war-game scenarios isn’t “fiction.” That is no more “fiction” than the WWII plans to invade Normandy. It’s not factual, but it’s what there is. What do you want? A backhoe through your fiber-optic? More malware in your PC?)))
“Clarke’s book has gotten tons of play with this sort of stuff— check out, for example, the scary interview he did with Terry Gross on NPR’s Fresh Air. But little of it impresses his critics. (((There are political reasons why people never do what this guy says. It’s not him or his credibility. It’s all about the power and money and the free-market ideology.)))
“File under fiction,” begins Ryan Siegel’s review over at Wired. “Like in real war, truth is the first casualty.” Siegel warns that the tome is based on hypothetical scenarios (see above) or alarmist and inaccurate rehashings of various cyber emergencies. Plus, we note the book has no references or index. (((Unlike us WIRED bloggers, who always maintain a nifty index to go along with our chairmanship of the Counter-terrorism Security Group and our seats on the United States National Security Council. Richard Clarke was the top of the heap there. There ISN’T anybody better-informed or with more credibility. No such person exists.)))
(((I get it that there’s plenty of cybarmageddonism around that deserves a good round laugh, but the modern world has more cellphones than toilets. If you don’t think that cellphones are modern weapons of global warfare, you’re crazy.)))
Ditto, says Evgeny Morozov in the Wall Street Journal. “We do not want to sleepwalk into a cyber-Katrina,” he writes, “but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.” Clarke is one of four partners in the Good Harbor Consulting security firm. (((Yeah, Clarke is in the Beltway biz now, but jeez, Morozov is a Belarusian Soros guy who hangs out with US State Department people. He’s not some kind of stainless icon of objectivity when it comes to electronic warfare.)))
But even his detractors acknowledge that some of Clarke’s broad arguments make sense—most notably his warning that the Pentagon can’t assume that the energy and financial sectors will effectively defend themselves from cyber attacks. (((Obviously.)))
“At the beginning of the age of cyber war,” Clarke ruefully notes, “the US government is telling the population and industry to defend themselves.” (((Yes, they are. And you can sop our your own oil spills and provide your own pension and health insurance while you’re at it. Educate your college kids? Tough luck!)))
Money talks (((Yes it does, and lately money has started screaming hysterically and throwing grandma out the window while eviscerating national governments. But it’s not like we have vulnerability in our poorly regulated core infrastructural systems, or anything. Why worry about “flash crash” problems? Still got a house, right?)))
Why has the national response to this problem been so slow? Lack of consensus on what to do and fear of the “R-word”—government regulation, Clarke contends. Then there’s Reason Number Five on his list, which basically boils down to “Microsoft.” (((J’accuse.)))
“Some people like things the way they are,” Clarke obliquely observes. “Some of those people have bought access.” Microsoft, he notes, is a prominent member of OpenSecrets.org’s “Heavy Hitters” political donor list. Most of the list’s stars are trade associations. “Microsoft is one of only seven companies that make the cut.”
The software giant’s largesse has shifted from Republicans back in the Clinton antitrust days to Obama, he continues, but the agenda is always clear: “Don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.” (((That’s all true, too.)))
Clarke tries to be fair. He notes that Microsoft didn’t originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft’s original goal “was to get the product out the door and at a low cost of production,” he explains. “It did not originally see any point to investing in the kind of rigorous quality assurance and quality control process that NASA insisted on for the software used in human space-flight systems.” (((I would note in passing that NASA is so freakin’ moribund and top-heavy that they can’t deliver a manned spacecraft system.)))
But people brought in Microsoft programs for critical systems anyway. “They were, after all, much cheaper than custom-built applications.” And when the government launched its Commercial Off- the-Shelf program (COTS) to cut expenses, Microsoft software migrated to military networks. These kind of cost cutting reforms “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer,” Clarke writes. (((That’s very much the case. If Turing was working against Nazi Germany under today’s conditions, he woulda knocked it off with the cipher machines and just mugged a few guys in Berlin for their thumb drives.)))
Floating i-brick (((It’s the truth, he didn’t make it up)))
The former White House advisor cites the 1997 USS Yorktown incident as a consequence. The Ticonderoga-class ship’s whole operational network was retrofitted with Windows NT. “When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.”
In response to this “and a legion of other failures,” the government began looking into the Linux operating system. The Pentagon could “slice and dice” this open source software, pick and choose the components it needed, and more easily eliminate bugs.
Clarke says that, in response:
[Microsoft] went on the warpath against Linux to slow the adoption of it by government committees, including by Bill Gates. Nevertheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the US government promoted Linux, Microsoft would stop cooperating with the US government. While that did not faze me, it may have had an effect on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free. (((Everybody does it, so it must be great.)))
The company took a similarly hard line towards the banking and financial industry, Cyber War says, rebuffing access requests from security specialists for Microsoft code. When banks threatened to use Linux, Microsoft urged them to wait for its next operating system— Vista.
“Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks,” Clarke confides. Sure enough, when Apple and Linux began to offer serious competition, Microsoft upgraded quality in recent years. But what the company did first was to lobby against higher government security standards. (((Of course they did that. By now, though, it’s likely too late. Even the Red Chinese don’t have it together to impose “high government security standards.” They’ve sure got it together to riffle through the hard disks of the rest of us, though.)))
“Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems,” concludes Clarke’s section on the software firm. (((Yes they can. But it’s even better than that: we got online fundraising systems with more clout than a party apparatus, so even our elected representatives have a weaker grip on reality than a radio talk-show host. You think you’re gonna get a serious response on computer security from people who think Obama lacks a birth certificate? Richard Clarke is a relic from an era when American government looked and acted like a responsible superpower. But his experience doesn’t make him wrong about what he says.)))