Truth About Computer Security Hysteria
The U.S. president can't tell you a simple numberRob Rosenberger, Vmyths co-founder
Sunday, 24 May 1998
PRESIDENT CLINTON MENTIONED über-hackers in his commencement speech to U.S. Naval Academy graduates. These scofflaws routinely "raid banks, run up credit card charges, [and] extort money by threats to unleash computer viruses. If we fail to take strong action..." He then announced a directive inspired by a media-hyped report from the President's Commission on Critical Infrastructure Protection.
PCCIP sprinkled its final report with only a light dusting of the word "virus" — but they still managed to screw it up. Look carefully at this snapshot of Table 1 (click on it to see a larger version). Which of these things is not like the others?
Every line of the table except for one provides a total number: PCs, LANs, people who can launch a dreaded cyber attack, etc. Yet the table only identifies the number of different viruses. The president's commission knows how many disgruntled ex-employees can disrupt satellite pager service, yet they can't give us a grand total for viruses. Why?
The very first table in the PCCIP report contains an important error. Again, why?
I believe the error crept in because the president's commission failed to consult genuine virus experts. They instead listened to the likes of Dan Shimshak, a University of Massachusetts chairman who fell for the Deeyenda virus alert hoax. I believe the president's commission read any number of media stories which mention the total number of unique viruses instead of the total number of viruses.
Did the president's commission ask around for a virus grand total? Apparently not. I queried numerous genuine experts: none of them received a request from PCCIP for data of any sort. Nobody asked them to review a draft of the report. Antivirus companies and independent virus researchers didn't know what it contained before its debut.
It seems the President's Commission on Critical Infrastructure Protection failed to conduct adequate research into the virus problem. Did they drop the ball anywhere else in their report?