Truth About Computer Security Hysteria

Mr. Rosenberger goes to Washington

LET'S BOW OUR heads for a modem of silence to remember the billions millions thousands hundreds dozens of PCs wiped out yesterday by a year-old anti-Claus known as Kriz. Truly, last night was a silent night for some computers.

The National Security Council invited the antivirus industry to a first-ever roundtable dialog meeting. Vmyths.com received a "Cinderella" invitation.

If your PC survived the Christmas onslaught, then you were blessed with a Miracle on 2600^th street. No doubt about it.

And speaking of Christian traditions... A missa cantata took place last week at the White House. The National Security Council invited members of the antivirus industry to a roundtable meeting. Vmyths.com received an invitation — one of only about a dozen — and I flew to the capitol entirely at my own expense.

The meeting occurred largely because David Perry (Trend Micro) pushed for it. He pitched the idea for months to FBI NIPC, but they never expressed an interest. Perry's efforts somehow got the attention of National Security Council member Richard "digital Pearl Harbor" Clarke, who liked the idea. He decided to hold the shindig in December.

The meeting took place in the old executive office building, just down the hall from Tipper Gore's staff and one floor above Nixon's infamous taping room. We even passed through the "Monica Lewinsky" entrance. I wore a silk After Dark screensaver tie and sported a fresh flattop haircut. Jimmy Kuo (McAfee) blew away the "suits & dresses" crowd with a blue-collar workshirt embroidered with a URL on the back. Steve Trilling (Symantec) looked almost presidential in his dark wool overcoa--

Hmmm? Oh, sorry! Reporters offer banal details about clothing & hairstyles whenever hackers meet with the president. I just assumed attire was an important part of any White House summit meeting. Well then, let's continue...

My invitation will come as a "Cinderella" shock to the rest of the antivirus industry. Look at Command Software, for example — they hold the House of Representatives antivirus contract but they didn't get to go. How a bombastic creator of drivel like me got invited, I'll never know.

The gov't attendee list reads like alphabet soup. Representatives came from the president's National Security Council (NSC), the president's Critical Infrastructure Assurance Office (CIAO), the president's staff office, the Office for the Secretary of Defense (OSD), CIA, NSA, the military's Joint Task Force for Computer Network Defense (JTF-CND), the State Department (DoS), the Commerce Department (DoC), the General Services Administration (GSA), the Energy Department's Computer Incident Advisory Capability (DoE CIAC), and the Federal Bureau of Investigation's National Infrastructure Protection Center (FBI NIPC).

A couple of notables failed to show. FBI NIPC director Michael Vatis had some "personal issues" at the last minute, but the meeting organizers learned of it in time to publish a deputy's name in the handouts.^[1] (Hmmm.) Commerce Secretary Norman Mineta appeared on the pre-gathering attendee list, but he bowed out to attend a job fair. Former Army Secretary John Marsh took his place for all intents & purposes.

Also, Microsoft security bigwig Howard Schmidt failed to show. It does not bode well for Redmond to blow off the White House's first antivirus shindig. Hmph. He didn't even send Scott Culp in his place.

CERT^® didn't appear on the gov't guest list — and CIAC thankfully sent bigwig Sandy Sparks. We scored two points for sanity, because CERT doesn't understand viruses like CIAC does.

A rumor says the incoming National Security Advisor was not briefed about this meeting before it took place.

Crypt Newsletter scooped the planet with news of the meeting; the first industry press release didn't appear until two days later. That issue of Crypt flew around the world minutes after it hit the streets according to a source in the antivirus industry and a source in the military intelligence community. I myself didn't alert the Teeming Millions until a few hours later.

Okay, I admit it: I briefed Crypt editor George C. Smith well in advance. What can I say? He's a Vmyths.com columnist and a bombastic creator of drivel just like me.

I DIDN'T BOTHER to mention this "historic" meeting on Vmyths.com until today. Frankly, it didn't accomplish much on the surface. One official kept nodding off from sheer boredom. No joke: I saw more excitement on my plane trips.

(FYI, a woman suffered a heart attack on the way to D.C. and a guy tried to leave the aircraft on the way back. But let's not digress again...)

First, the meeting took place at exactly the wrong time. Why did the White House hold it in the middle of December, after Congress adjourned, on the day when the electoral college decided our next president? Why did they only hold it for three hours? Why didn't FBI NIPC buy into this meeting before Perry pitched it to the NSC? Heck, a rumor says the incoming National Security Advisor wasn't even briefed in advance about it.

Second, what took the White House so long to open a dialog with the antivirus industry? They long ago sealed formal ties with the anti-hacking industry. What gives? Viruses appeared in 1986 and Michelangelo hysteria dates back to 1992.

Third, the meeting didn't include enough industry wonks. Symantec/IBM, McAfee/Network Associates, Trend Micro, and ICSA dominated the head table while lesser wonks (myself included) sat against the wall. Why didn't Command Software, Tumbleweed, Finjan, or Central Command get to play wallflower games with me? Who decided not to invite the U.S. offices for Sophos, F-Secure, Kaspersky, or Panda?

Fourth, the meeting included too many capitol wonks who spoke too much. I'm not alone in this opinion: an NSC member passed notes to Perry whenever officials got long-winded, at which point Perry would interrupt the person. I expected a 1-to-1 ratio of government/industry representatives, but it wound up as 2-to-1 — and Perry confirms the White House turned away 40-50 officials who begged to attend.

Fifth, who invited ITAA president Harris Miller to the meeting? He contributes nothing to an antivirus roundtable. He didn't even take part in the first hour of discussions, yet Miller somehow weaseled a chair at the head table. Every time he piped up with a comment, I said to myself "and people will think I'm self-important here." {sniff} I smell a lobbyist.

Who invited ITAA president Harris Miller? He contributes nothing to an antivirus roundtable, yet there he sat — at the head table. {sniff} I smell a lobbyist.

Sixth, the meeting received no pre-publicity and very little post-publicity. Reporters didn't know to cover it, and only one antivirus firm bothered with a press release two days later.

Finally — yet by far the most important — this "government-industry dialogue" meeting took place last year. CIAO's John Tritak admitted as much when he said the gathering would "build on the very good working relationships" antivirus firms formed with the government during the Y2K virus media fiasco.

"But Rob," you plead, "was the meeting worth it?" Yes. Outwardly, it may lead to a more effective open-door security meeting in 2001. Inwardly, CIA & NSA reps finally noticed something very important about the antivirus industry...

GOVERNMENT EXPERTS PRODUCE a lot of good anti-hacking software, but they've repeatedly failed to write a good anti-virus program. Washington can tell companies like ISS to shove it if they wish, and companies like ISS know it. But all governments worldwide must deal with companies like Symantec. They simply have no choice in the matter, and companies like Symantec know it.

Governments cannot maintain their own antivirus software if it follows the addictive update model. After-the-fact detection requires an update even if a 14yr-old wannabee changes a virus by a few bytes. Contrast this with anti-hacking software, which doesn't need an update every time a 14yr-old wannabee launches a trivial attack. Anti-hacking products only need an update when a new type of hack surfaces.

Governments abandoned every antivirus software project because it wasn't worth the update effort. Profit alone fuels the addictive update model.

Come on, you're almost there! Say it with me: "Governments abandoned every antivirus software project because it wasn't worth the update effort." Profit alone fuels the addictive update model. Washington could break its addiction to antivirus software if they understood this overwhelming truism. CIAC figured it out years ago, but no one will listen to them.

Antivirus firms will again call me a bombastic creator of drivel. "How dare you equate us to drug pushers! We save the world from viruses in case you didn't notice." Actually, I equate their products to cigarettes. But let's not digress yet again.

This overwhelming truism created a roadblock at last week's meeting. CIA, NSA, JTF-CND, and other agencies want to know what's going on in the virus world — but the "old boy" network wants to control who gets access to their inner sanctum of knowledge. Don't get me wrong: information can flow to the antivirus industry without hindrance. It simply won't flow from the industry without adequate filtration.

The antivirus industry can easily "explain" why they want to control access to their knowledge base. First, these international conglomerates don't want other countries to treat them like an arm of the CIA. Second, they don't want to get involved in countless FBI witch hunts. Sounds pretty logical, doesn't it?

Bah humbug. If a CIA analyst buys into this line of logic, then he deserves a fellowship assignment at FBI NIPC. The anti-hacking and anti-virus industries staffed the president's Y2K crisis center last year. These guys have no problem talking to governments when they talk on their terms.

Face it: the pushers want to control the addicts. No more, no less.

But why should you believe the ramblings of a bombastic creator of drivel? Ask the CIA & NSA reps who attended last week's meeting. I know they saw the roadblock...