Truth About Computer Security Hysteria
Internet more valuable than a human life?
Wednesday, 11 August 1999
I SOMETIMES ASK the U.S. government for data via the Freedom of Information Act. I recently
filed FOIA requests to see how the Air Force handled itself during the Melissa hysteria.
To understand how the Air Force reacted, we need to understand the "INFOCON" system. The Secretary of
Defense established it along the lines of the old "DEFCON" system and the more recent
"THREATCON" system. The five basic stages of INFOCON go like this:
- NORMAL means "no significant activity" — a theoretical optimum we cannot achieve if we accept
14yr-old hackers as a national security threat.
- ALPHA means an "increased risk of attack." This includes "regional events occurring which
affect U.S. interests," e.g. Kosovo. The military starts watching more closely for ping sweeps
and website vulnerability probes.
- BRAVO warns of a "specific risk of attack" against a computer, a military base, or a deployed
squadron. Expected threats include a "significant level of network probes, scans or activities" for
reconnaissance purposes. A website hack or denial of service attack has "no impact to DoD operations."
- CHARLIE indicates five or more 14yr-old hackers joined modems to attack millions of soldiers, sailors, airmen,
and marines. These attacks achieve "limited impact to DoD operations [with] minimal success,
successfully counteracted." Attackers break into only a few websites which contain little or no nuclear
weapons data. The military can still perform its mission.
- DELTA signifies "general attack(s)" by the Russian mafia and/or the Melissa virus. These
computer intrusions would "undermine [DoD's] ability to function effectively [and would create a]
significant risk of mission failure." At this point the U.S. military must retreat from a battlefield
littered with damaged PCs and smoldering mousepads. Bomb disposal units will deploy the Minesweeper game
to locate unexploded Pentium chips.
"INFOCON DELTA" means the military treats the Internet as a battlefield, complete with damaged PCs and
smoldering mousepads. Bomb disposal units will use the Minesweeper game to locate unexploded Pentium chips.
We used to take DEFCON seriously in the early days of the Cold War, but I doubt many military members know our
current status now. Likewise, I'd bet a soda most military users don't know our INFOCON status right off the top
of their heads. "Hang on, I'll ask the network guys down the hall..."
I mailed FOIA requests to various Air Force units asking for (1) the INFOCON status each day from 15 March to
15 April and (2) a summary reason for any changes. A simple query, right? You'll love the responses:
- HQ U.S. Air Forces in Europe: "computer users were in INFOCON Alpha for each day between
15 Mar 99 and 15 Apr 99. There was no change in the status."
- HQ Air Intelligence Agency: refused to disclose their INFOCON status. "Unauthorized
disclosure of such information could reasonably be expected to cause serious damage to national security.
The document is currently classified."
- 89 Comm Squadron: the presidential support unit passed the buck to HQ Air Mobility Command...
- HQ Air Mobility Command: passed the buck to U.S. Transportation Command...
- U.S. Transportation Command: refused to disclose such sensitive data, "the release of
which would allow circumvention and substantially hinder the effective performance of a significant
- AF Office of Special Investigations: couldn't respond due to a backlog
of FOIA requests. (I half-expected this.)
HQ USAFE alone considered my request banal enough to disclose the answer. HQ AIA's excuse seems highly irregular
-- personnel all over the base scribbled the INFOCON status on whiteboards and posted it at entryways during the
Melissa hysteria. The decision to classify it at all makes no sense when you compare it to the daily
THREATCON status. Do you want to know the chance of a terrorist attack at your nearby military installation? You
can read the status a half-block before you reach the gate. Better yet, ask the delivery boys at a local pizza
I really do like the idea of an INFOCON. It makes sense to standardize the military's awareness
of a threat, be it missiles or terrorists or bytes. It also makes sense to separate a computer threat
from, say, a personnel threat. If a deployed Marine commander asked for the current status, an Air Force
advisor might tell him "sir, we're in DEFCON Normal, THREATCON Bravo, INFOCON Alpha." It conveys useful
news very quickly in a standard form.
Yet to hear HQ AIA say it, INFOCON data is at least as sensitive as THREATCON data. Conclusion: an airman's
Internet connection is at least as important as an airman's life. (Dreamsheet yourselves to Ramstein, guys.