Truth About Computer Security Hysteria

How does the White House know things they admit they don't know?

CONGRESSMAN CURT WELDON (R-PA) used to scream about a coming cybergeddon. Oh, how I adored his idiotic rhetoric.

We need to revisit a Vietnam controversy to understand the role the White House plays in computer virus hysteria.

I loved to listen to Weldon rant. He in turn loved to predict an imminent "electronic Pearl Harbor." You should've heard him at a 1997 InfoWARcon conference, for example. He declared Osama bin Laden had thrown away his anthrax spores and radioactive materials. What did the world's most dangerous terrorist want to replace his weapons of mass destruction with?

Why, CD-ROMs filled with computer viruses, of course! I don't make this stuff up, folks. The congressman from Pennsylvania actually said it.

According to Weldon, bin Laden didn't want to mess around anymore with piddly car bombs and risky skyscraper-jetliner schemes. He gave up on a crazy idea to transmit deadly biological spores via the U.S. postal system. Way back in 1997, the forward-thinking Osama started to convert his cave dwelling suicide bombers into an elite squad of über-hackers.

The congressman from Pennsylvania actually wanted his constituents to believe these things. I kid you not — he believes our great nation will soon suffer the ravages of carpel terrorist syndrome. Osama wants to kill hard disks, not humans.

(Oh, which reminds me. Why does the U.S. Army still hold its annual "Best Ranger" competition? It seems like a complete waste of money to me. Flabby biceps mean nothing to a cyber-warrior. We need battle-hardened brainiacs, not barbarians.)

Of course, not everyone who lives in a cave can learn to write a diabolical computer virus. Not knowing what else to do with his "hacker rejects," Osama sent them away on missions to blow up two U.S. embassies, a U.S. warship, the U.S. military headquarters, the U.S. financial district, and a small field in Weldon's home state.

Sadly, Weldon's backbone disappeared somewhere in that small field. He toned down his "electronic Pearl Harbor" rhetoric. Go figure. New York senator Charles Schumer doesn't let bin Laden's minor diversionary tactics get in the way of his cyber-worries! Doesn't Weldon care anymore about a coming cybergeddon?

But hey, I didn't come here today to berate a spineless cyber-savvy congressman who hails from an Amish state. Nope! Instead, I came here to chide the White House for their life-threatening lack of computer virus data.

I call it "life-threatening" because White House computer security advisor Richard Clarke predicts a cyber-terrorist will soon mastermind an attack so large and so deadly that "the federal government needs a reconstitution plan" just to survive it. Internet warfare has forever changed the nature of terrorism, Clarke insists — even though Clarke admits no Internet warfare has ever occurred.

If we take the Senate and the White House at face value, then the Nimda virus obliterated 1/50th of what Osama bin Laden obliterated at the World Trade Center.

Weldon & Schumer & many others agree wholeheartedly with Clarke's expert views on cyber-terrorism. They all fear Osama bin Virus, not Osama bin Laden ... yet Clarke himself cannot cite the crucial data he needs in the fight against computer viruses. It simply doesn't exist.

Hence, we can safely claim the White House displays a life-threatening lack of data. My tirades about White House ignorance go back to 1998 when I slammed then-president Bill Clinton for his lack of virus data.

BUT THE WHITE House's ignorance of data goes back much farther in time. The Vietnam campaign of B-52 bombings serves as a perfect example of what we see — or more precisely, what we don't see — in today's computer virus battles.

Bear with me, folks: we need to revisit a Vietnam controversy to understand the role the White House plays in computer virus hysteria.

Many hindsight analyses of B-52 strikes over Vietnam point out an obvious flaw in U.S. strategy. Political & military leaders couldn't acquire the correct data they needed to wage a war, so they used incorrect data in its place. Quoting from one such analysis:

As was true throughout the Vietnam War, it was easier to measure effort than results; indeed, the scope of the [B-52] operation may well have influenced the estimate of the effects. [See graphic.] Since a torrent of high explosive inundated the enemy, his losses had to be disastrous.

Now, we can't really declare B-52 strikes "a waste" just because we lacked Vietnamese casualty data. To quote Albert Einstein: "not everything that counts can be counted." A triple-canopy jungle hindered most efforts to assess the battle damage.

However, we can criticize those who would rely on incorrect data simply because they can't acquire the correct data. The White House committed this error during a protracted Vietnam war, and now they commit the same error during a protracted virus war.

But please! Forget Vietnam, will you? That was sooooo "previous millennium." A long-term carpet bombing campaign pales in comparison to the destructive force of just one computer virus.

If you contrast Vietnam-war decision making with today's virus-war decision making, you'll realize we can't declare antivirus software "effective" — because no data in the last 16 years supports this contention. I repeat: no data in the last 16 years supports this contention. None! It simply doesn't exist. Antivirus software generates data, then turns right around and deletes it.

AMAZING, EH? WE'VE never even bothered to measure the effort (let alone the results) of a protracted virus war.

This means we can take Vietnam criticism and apply it directly to our computer virus problem. I repeat myself when I say the White House can cite no historical data on computer virus proliferation over the last 16 years. None! It simply doesn't exist. Antivirus software generates data, then turns right around and deletes it.

But Clarke has an ego: he doesn't like to look ignorant. The president's computer security advisor (like the Vietnam advisor before him) relies on incorrect data when he lacks the correct data.

We can't declare antivirus software "effective" — because no data in the last 16 years supports this contention. Antivirus software generates data, then turns right around and deletes it.

If Clarke claims to know the true scope of the virus problem, then he's deluded. If he claims to know the true effectiveness of the antivirus industry, then he's deluded. President Bush's computer security advisor has no clue simply because nobody has a clue. It's that simple.

(Uh, except for Michael Erbschloe. He's not deluded in the slightest. Nope! He alone knows the true scope of the virus problem and he can calculate it with absurdabsolute precision. Now you know why the TechTV cable network relies on his, uh, unique expertise.)

I believe many — possibly most — corporate security managers want to hide the fact they fight viruses in an arbitrary fashion. Just like Clarke, they'll cite the wrong data before admitting they lack the right data.

A classic "Dilbert" cartoon summed it up best when the pointy-haired boss observed "all of our data is grossly inaccurate ... but I need data in order to manage." Pointy-haired computer security managers rely on concocted data to make themselves look good. Irrational numbers somehow justify their arbitrary decisions. Sometimes they'll even concoct their own numbers out of whole cloth.

And my belief leads me right back to the president's computer security advisor. Clarke's prepared remarks at a senate hearing in February offered guesstimates of the incredible damage caused by today's misguided youth:

Most of the damage seems to have been done by individuals, or clubs of hackers. But that does not mean that it has not been significant. We estimate that last year alone, $12 billion were required to clean up the mess from those attacks in the U.S. economy. One attack — the Nimda virus last November [sic] — caused over $2 billion in damage to American firms.

Like I said: "delusional." All of Clarke's data is grossly inaccurate ... but he needs data in order to manage. (Sound familiar?)

Future historians will someday write hindsight analyses of the White House's virus war. Mark my words: they will point to a complete lack of virus data in the Clinton & Bush administrations. Clarke himself will go down in history as a foolish pointy-haired computer security advisor to both presidents.

You know, I almost feel sorry for Clarke. Almost.

CLARKE SHOULD POSSESS crucial virus data and he could possess such data — but he doesn't. Like I said: antivirus software itself deletes the crucial data he needs.

If Clarke claims to know the true scope of the virus problem, then he's deluded. If he claims to know the effectiveness of the antivirus industry, then he's deluded.

To quote George Santayana: "those who do not remember the past are condemned to repeat it." Vietnam taught the White House a valuable lesson about the need for correct data, but Clarke forgot that lesson in his own little war against computer viruses. He (like his pointy-haired counterparts) will pull numbers out of his butt to avoid looking ignorant.

Tsk tsk.

The president's computer security advisor all but admitted to his delusions in February at the very same senate hearing. Clarke answered one question from Schumer by saying:

There is a problem right now: companies don't tell the government when they have been hit. The Nimda virus in November [sic] of last year attacked many household-name companies in the banking industry, the finance industry, and elsewhere. And yet we don't know that officially, and I can't tell you officially the names of these banks and companies that were hit, because the only way we know is through the rumor mill.

If he's not delusional, I mean.