Feb 14 2009

Obama’s intelligence chief coughs up bad cyber-intel

No Gravatar

I’ve written on computer security hysteria for twenty years and I can tell you this: the U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

The problem isn’t in the size or the scope of the numbers. Rather, the feds can’t settle on a ballpark figure and they refuse to show their homework. I believe the former problem stems from every bureaucrat’s desire to mouth their very own brown-tinged guesstimate … and we know the latter problem stems from every bureaucrat’s desire to overclassify their use of public domain knowledge sources.

Obama’s intel chief can do nothing more than quote wild dollar values spouted by two com­panies — one of them not even involved in eco­nomic assess­ments.

The latter problem encourages a bizarre situation that begins when Fearmonger “A” confidently gives reporters a number he pulled out of his butt, and no reporter calls him on it. Fearmonger “B” reads it in the newspaper and says “I’ll use the number from ‘A’ as my own ballpark figure,” and no reporter calls him on it. Fearmonger “C” reads both numbers online and says “I’ll average the numbers from ‘A’ and ‘B’ when I give lectures,” and no reporter calls him on it. Fearmonger “D” finds those three numbers in a Wikipedia citation and says “I’ll normalize the values from ‘A’ and ‘B’ and ‘C’ in my master’s thesis,” and his professor doesn’t force him to disclose where the “raw data” came from…

For the very longest time — and by that I mean for well over a decade — no one bothered to collect empirical data for their guesstimates, not even the feds. But hey, a complete lack of data never stopped bureaucrats from pulling numbers out of their butts and using newspaper stories as their primary source of expertise. Pray tell, who can forget White House cyber czar Richard Clarke’s famous flip-flop before a senate sub­committee in 2002?

Richard Clarke addresses a senate subcommittee, 13 Feb 02We estimate that last year alone, $12 billion were required to clean up the mess from [cyber] attacks in the U.S. economy…

Richard Clarke addresses a senate subcommittee, 13 Feb 02And yet we don’t know that officially, and I can’t tell you officially the names of these banks and companies that were hit, because the only way we know is through the rumor mill.

Let me repeat myself, folks. The U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

Okay, so now along comes Barack Obama with his “open” government. He picks Dennis Blair as his top intelligence advisor. Blair gives his first congressional briefing almost seven years to the day after Richard Clarke’s famous flip-flop. What kind of numbers does Blair’s solar calculator yield?

Wikipedia bio: Dennis C. Blair“Ferris Research estimates that the total cost of spam and all of the types of fraud that take advantage of spam’s impact is $42 billion in the United States and $140 billion worldwide in last year, while McAfee estimates that global companies may have lost over $1 trillion worth of intellectual property to data theft in 2008.”

I, uh … well, okay: I expected Blair to pull numbers out of his butt. Instead, he all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces. The mighty Blair himself can do nothing more than quote wild dollar values spouted by two companies—

—one of them not even involved in economic assessments. What’s wrong with this picture?


We’re talking about the new head of U.S. intelligence, a career naval leader with underlings who knew well enough to publish a detailed Congressional statement less than a month after he took the oath of office. And yet these underlings couldn’t muster up the nerve to ask the Commerce Department for authoritative figures from a government statistician with a PhD in economics?

We’re getting bad intelligence from the head of U.S. intelligence, folks. And bad intel is worse than no intel at all.

I wish someone on the committee had asked Blair how McAfee derived that $1+ trillion guesstimate. The transcript of his response might read something like this:

“Well, uh, you see, these guys, they— they analyze malicious software code all day long. And I imagine a lot of the damage was caused by the offensive cyber warfare technology that McAfee freely turned over to the Chinese government right under our very noses. So, um, they’re eminently qualified to be global claims adjusters. If I was, you know— an, an insurance firm, and these ‘combat coders‘ at McAfee told me that I owed the world over a trillion dollars— I’d certainly be inclined to believe the accuracy of their figures…”

Obama took office on a mandate to “change” government. And yet he picked an intelligence director who takes computer security rhetoric at face value. That’s straight-up status quo, folks.

Memo to Dennis Blair: I cannot believe you cited McAfee. Seriously, Admiral: your underlings let you down. Ask the NSC to brief you on McAfee’s deep involvement in arming China with cyber smallpox technology. You’ll discover the NSC called me in March 2001 for details. Called my home. At 7am…

Share
  • By GsparkyNo Gravatar, 14 February 2009 @ 8:04 pm

    “You’ll discover the NSC called me in March 2001 for details. Called my home. At 7am…”

    (RING!!!! RING!!!)
    … muffled sound… heavy breathing…

    “Uh… hello?”

    “Yeah, hello, Rob! Do you mind if I call you Rob? Yeah, John at the National Security Council. Need some info on the Chinese and why they might want software from McAfee. Got any ideas? Thoughts? I mean, what could the Chinese want with this type of software?… Uh… Hello?!?? Rob….”

    (click)

  • By AmyRQANo Gravatar, 29 March 2009 @ 5:04 pm

    Hello again, Rob.
    We last exchanged emails following the Nimda hit.
    Re: this column (from 3/22), do check out the NYT piece about Chinese cyberspying (link: http://preview.tinyurl.com/cvt3t6 )

    Gee whiz, you’d think this was the first time anyone had uncovered a network of cyberspying not limited to phishing and spam-spewing zombie bots. In the 30 min. I’ve been online today, I’ve had 18 firewall hits, 16 from IPs in China, with five hits of a Slammer worm. Yes, all rebuffed, of course. Judging from the comments posted to this NYT piece, people seem clueless to simply shutting down ports on their tubes.

    You’d think that someone at the NYT would suggest checking out dshield.org, or at the very least do a public service of suggesting people understand what a firewall is? But that would require some effort by semi-Luddite readers to understand the means by which cyberspying is done. Maybe David Pogue can pick this up?
    Errr.. I should add, what do YOU think of Pogue? (Take your answer offline, if you’d like.)

    As always, your work is stellar, Rob. A welcome voice in the blizzard of hype and fear-mongering. Keep it up!
    Amy ( a long time fan )

Other Links to this Post