Truth About Computer Security Hysteria
The China SyndromeRob Rosenberger, Vmyths co-founder
Friday, 30 March 2001
WALL STREET JOURNAL investigative reporter Ted Bridis deserves a long round of applause. He documented the antivirus industry's eagerness to hand over viruses to the Chinese government.
The Wall Street Journal exposed one of the antivirus industry's dirty little secrets. So, what does it mean to Joe SixPack? Answer: it means nothing.
I assure you, Bridis struck a nerve in the industry like no one else has ever done. Doors started slamming shut at antivirus firms — and in the hallways of the White House itself — before the story hit newsstands. We'll talk about the White House implications in a minute, but right now I want to explain what it all means to Joe SixPack.
Answer: it means nothing.
The China revelation
A message this morning from Richard M. Smith (Privacy Foundation) summed it up pretty well. Virus collecting ain't exactly rocket science.
Still, I suspect many non-Chinese computer users will cringe at the revelation. Antivirus firms suspect their customers will cringe, too, and the spin control will flow from a spigot if this story blows up in their face.
Let me play devil's advocate to show why this story shouldn't blow up.
China is one of five permanent members on the United Nations security council. They've got nuclear missiles, nuclear torpedoes, and nuclear artillery shells. Its populace stacks up almost five-to-one compared to the United States. China enjoys most favored nation trading status with the U.S. despite their systemic abuse of human rights. The Asian behemoth offers a potential new market for the addictive update model, and antivirus firms want to be in position when citizens finally get hooked on computers.
Antivirus firms want China to hire them to protect communist computers. As the devil's advocate, what gives me the right to decide what a sovereign nation may demand from its cyber-bodyguards? For this reason, antivirus firms didn't violate my personal code of ethics when they turned over their virus libraries to the Chinese regime.
Antivirus firms didn't violate U.S. law. Commerce Dept. undersecretary William Reinsch admitted as much in the Wall Street Journal story.
Some people will moan about the Daddy Warbucks in the antivirus industry, but they'll eventually get over it. They have to get over it — because they're addicted to antivirus updates. Few users will vote with their wallets. They'll grudgingly continue to pay antivirus firms for the products they want.
If you corner them, the fools will rationalize the status quo as the safer of two evils. Bah. If you're one of the fools and I just offended you, then too bad. I don't get paid to make you feel good. I get paid to tell you the truth.
And, truth be told, this revelation was almost an open secret in the antivirus industry. I don't know why WSJ is making a noise about this right now, said Vesselin Bontchev (FRISK), a founding member of the Computer Antivirus Research Organization. We've known it for months. In general terms, CARO members agree that if we're going to give a virus to somebody outside CARO, we'll inform CARO about it.
Inform CARO members? Yes. Inform the rest of the world? No. Antivirus vendors kept it quiet for marketing reasons. And that's why the Wall Street Journal covered it.
I said it before and I'll say it again. If one American citizen gives computer viruses to China, everyone will call him a traitor. Yet if a large antivirus firm does the same thing, everyone will grumble, but they'll still buy the firm's software. Ask yourself why we'll accept it at the corporate level when we won't tolerate it at the personal level.
A double standard exists because people can't give up their addiction to antivirus updates. Addicts need their pushers.
Addicts usually won't even switch brands unless they can easily replace one addictive product with another. Companies can't easily replace antivirus software: it's too costly and too time-consuming. The status quo will therefore remain the status quo.
You can at least take comfort in poetic irony if the Chinese revelation offends you. Capitalistic firms gave up their trade secrets (so to speak) to a low-tech communist regime known for rampant software piracy. It's not a security debacle — it's a marketing debacle!
This dirty little secret makes the White House National Security Council look like the Keystone Cops. And the head Keystone is Richard Clarke.
You can also take comfort in something else. One virus expert at Network Associates resigned in disgust this morning. Somebody out there has morals...
Former president Clinton appointed Clarke to the NSC to watch over infrastructure threats. For over two years now, he has predicted a digital Pearl Harbor that will wipe out the United States. This cyber-scenario comes primarily in the form of the People's Republic of China (PRC), Cuba, and Osama bin Laden. The Red Army's computer warriors alone can destroy whole U.S. cities with a mouse click according to Clarke's prevailing theory.
Clarke made some friends in the antivirus industry because he wants to protect the U.S. from über-viruses. These friendships proved useful as Y2K loomed — you may recall the White House feared Y2K viruses would destroy the Internet (and they literally begged hackers for a reprieve). Clarke's lieutenants invited antivirus experts to man the situation room so the government could coordinate face-to-face with antivirus cleanup crews. Nothing happened, though, so they all flew back home.
Clarke continued to predict a cybergeddon if China should ever lose its temper. He later invited antivirus wonks back to Washington to discuss ways to defend the U.S. from virus attacks. The meeting included officials from the CIA, the NSA, and the military's Joint Task Force for Computer Network Defense.
NSA & CIA made it clear they wanted to join the inner sanctum of antivirus experts. Clarke even proposed secure telephones so vendors could speak confidentially with the White House. The spooks in D.C. wanted to tap into the industry's massive knowledge base — but the industry declined. We encourage you to give us any intelligence data you have, the industry mused, but we need to sanitize our own data before we can give it to outsiders. It's just too sensitive.
Besides, the experts continued, each of our firms is a large multinational conglomerate. We don't want to look like a tool of the CIA. It's bad for business.
Clarke somehow survived the Clinton administration (no mean feat). He recently convinced Bush's national security advisor of the threat posed by China's dangerous electrons...
Then Clarke learned the antivirus industry trades viruses with China. Ouch. Antivirus firms aren't a tool of the CIA — they're a tool of the PRC! Bad for business, indeed.
As much as I despise Richard Clarke, I'll give him some free advice...
Or can they?
I don't know the specifics, but I do know Clarke received a face-to-face briefing from an antivirus bigwig just before the story broke. I'll bet a soda Clarke dominated the meeting.
The White House has a golden opportunity to control their relationship with the antivirus cartel. As much as I despise Clarke, I'll give him some free advice:
First, dude, you need to move fast. Strike while the iron is hot, as my former boss likes to say. Set up another industry roundtable meeting at the White House, in May, and invite smaller antivirus firms along with the big boys. Invite Ted Bridis of the Wall Street Journal to represent the media, and invite Vmyths.com to once again represent antivirus critics. (You bestow legitimacy on a meeting the instant you invite a true critic.) Oh, and invite the White House press corps to cover it.
Make security of virus technology the #1 item on your agenda. Make it your agenda, not the industry's. Act indignant right from the beginning. America trusted your firms to protect them, and here Mr. Bridis catches you giving deadly über-viruses to the Commies... Bring up the specter of a digital Pearl Harbor (go on, I promise not to interrupt you).
Then you hit 'em with the zinger. The federal government alone spends [amount] on antivirus software each year. Why should we buy it from companies that increase Washington's risk of a cyber-attack? Smaller vendors will jump on your bandwagon when you spout that dollar figure. Larger vendors will have no choice but to kowtow. And I will personally credit you for making a difference.
Moses' staff fell into Richard Clarke's hands. He can part the Antivirus Sea with it. But he's gotta move fast.
Moses' staff fell into your hands, dude. You can part the Antivirus Sea with it. But you gotta move fast. Don't blow it.
I've taken two VIP tours at Command Software over the years. An old industry rumor says Command dropped its pan-Asian marketing plans after getting burned by software pirates. I contacted the director of business development, Lance McKay, who admitted we did definitely have a bad experience in Hong Kong, and we did walk away. At least for now.
McKay politely declined to talk about the software piracy rumor, but I know he can see the poetic irony here. I doubt Command will give up trade secrets (so to speak) to a low-tech Communist regime known for software piracy.
Hey, another rumor just fell in my lap. An antivirus company (identity not confirmed) will review its Russian worker hiring practices. First the Chinese, now the Russians...