Summary: President Obama shows that he knows how to lead Americans, giving a speech based on stories of successful cyber-attacks. Just as Bush demonstrated with his speech about Iraq’s nukes, American Presidents can spout any nonsense to their subjects. In turn we smile and genuflect before our betters. Bowing is not an appropriate posture for citizens.
This analysis does not say that cyber attacks have not occurred, that they are not a serious threat, or that better defenses are needed. After all, Bush’s false statements about Iraq’s nukes does not mean that there are no atomic bombs, or that their use is not a serious risk. But if America is to survive — let alone prosper — in the 21st century, we must fix our observation-orientation-decision-action loop (the OODA loop).
Demanding some evidence from our leaders’ about their big claims is IMO a necessary step. This speech has even less supporting evidence than President Bush and Secretary of State Powell gave for the invasion of Iraq. As yet we have no way to know if these claims are any more accurate than those about Iraq.
- The President’s speech
- Public information about his claims concerning cyber attacks
- Afterword and For More Information
(1) The President’s speech
Remarks by the President on Securing Our Nation’s Cyber Infrastructure by President Obama, 29 May 2009 — Excerpt:
We meet today at a transformational moment — a moment in history when our interconnected world presents us, at once, with great promise but also great peril.
… It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy. And this paradox — seen and unseen — is something that we experience every day. It’s about the privacy and the economic security of American families.
But every day we see waves of cyber thieves trolling for sensitive information — the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world — and they did it in just 30 minutes. A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.
In short, America’s economic prosperity in the 21st century will depend on cybersecurity.
And this is also a matter of public safety and national security. We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.
(2) Public information about the President’s claims concerning cyber attacks
To the best of my knowledge, the only basis for the President’s claim in the public record is a statement released at the 2008 SANS Security Conference in New Orleans. See this for information about the SANS (SysAdmin, Audit, Network, Security) Institute.
“CIA Confirms Cyber Attack Caused Multi-City Power Outage“, SANS NewsBites, 18 January 2008 — Excerpt:
On Wednesday, in New Orleans, US CIA senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that
“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.
Some questions about this statement in “Obama (!) spouts an urban legendin his cybersecurity speech“, Rob Rosenberger, posted at Vmyths, 29 May 2009 — Excerpt:
It’s an urban legend because no one knows any details whatsoever. To be specific:
- Who plunged entire cities into darkness with the click of a mouse? No one knows.
- When did these cyber-terrorists plunge entire cities into darkness with the click of a mouse? No one knows.
- Where are these cities that plunged into darkness with the click of a mouse? No one knows.
- Why did the cyber-terrorists plunge these cities into darkness with the click of a mouse? No one knows.
- How widespread were these cyber-terror blackouts? No one knows.
- Whose power grid Internet connection did the cyber-terrorists exploit? No one knows.
- How many victims perished in these cyber-attacks? No one knows.
- What did it cost to clean up after these cyber-terror attacks? No one knows.
- Does Interpol want to extradite a U.S. citizen so he can stand trial on charges of cyber-terrorism? No one knows.
Listen to me, folks. Cyber fearmongers crave this kind of information. They crave it like a drug. And yet none of the cyber fearmongers has ever come forward to say “this city got hit on this date by this terror group using clandestine funds from this nation for this purpose, plunging this many people into darkness and killing this many hospital patients who lost power to their life support systems.”
It’s an urban legend, folks. It doesn’t make it any more real when it flows from the lips of the president of the United States.
Rosenberg provides some background about the President’s claim that “that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.” See “Obama part 2: where did his “$1 trillion” guesstimate come from?”, Rob Rosenberger, Vmyths, 29 May 2009 — Excerpt:
Let me remind you what I said back in February. Obama’s top intelligence advisor, Dennis Blair, “all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces. The mighty Blair himself can do nothing more than quote wild dollar values spouted by two companies — one of them not even involved in economic assessments.”
If America’s top intelligence official can’t produce an economic cyber-damage estimate, then how on earth can Obama do it? And why is it such a “clean” number like $1 trillion?
Answer: Obama had no choice but to use someone else’s wild guesstimate. Without attribution.
I’ve railed for at least a decade on the utter lack of metrics in the computer security industry. “The average high school keeps statistics on its girl’s softball team,” I sneered in 2005, yet “the average computer security expert keeps no statistics on virus infections. What’s wrong with this picture?”
Hysteria thrives in computer security because the experts rely on superstition, not metrics. “President 2.0″ now supports their goal to frighten Americans with superstition. Again, what’s wrong with this picture?
About the author
From the “About” page of Vmyths:
Rob Rosenberger edits Vmyths and writes as a columnist. He is one of the “original” virus experts from the 1980s, and the first to focus on virus hysteria. Red Herring magazine describes him as “one of the most visible and cursed critics in computer security” today, and PC World magazine says he “is merciless with self-appointed virus experts and the credulous publications that quote them.” Rosenberger was one of only a dozen industry experts invited to the White House’s first-ever antivirus summit meeting in December 2000.
From a profile in Wired (6 August 2001):
Rosenberger is not just a random ornery writer with a website and a bone to pick. He’s an experienced programmer, a systems administrator and a man of mystery with high-level CIA security clearance. Information about Rosenberger’s status with the CIA was confirmed by an inquiry to a government office, and Rosenberger understandably refused to verify or even discuss the issue.
For more information from the FM site
To read other articles about these things, see the FM reference page on the right side menu bar. Of esp interest are:
Posts about America’s broken OODA loop:
- News from the Front: America’s military has mastered 4GW!, 2 September 2007
- The two tracks of discussion about the Iraq War, never intersecting, 10 November 2007
- Diagnosing the eagle, chapter I — the housing bust, 6 December 2007
- Another cycle down the Defense Death Spiral, 30 January 2008
- Quote of the day: this is America’s geopolitical strategy in action, 26 February 2008
- What do blogs do for America?, 26 February 2008
- Everything written about the economic crisis overlooks its true nature, 24 February 2009
- The housing crisis allows America to look in the mirror. What do we see?, 9 March 2009
- Globalization and free trade – wonders of a past era, now enemies of America, 16 March 2009
- A note on the green religion, one of the growth industries in America, 17 March 2009
- Poor peak oil research, more evidence of a serious problem with America’s vision, 5 May 2009
- We’re ignorant about the world because we rely on our media for information, 3 June 2009