Truth About Computer Security Hysteria
Re-visiting the Michelangelo virusGeorge C. Smith, Ph.D., Editor-at-large
Saturday, 23 February 2002
Step inside the Wayback Machine with your Editor-at-Large. Ten years ago, I wrote the following article dissecting the furor over a computer virus known as Michelangelo. While windbags, exaggeration and a love of ridiculous quote have never gone out of style, other changes brought about by progress lend the piece an almost semi-optimistic naivete a decade later.
Only a couple thousand viruses, silly messages, "beware the next round...", the dread Mutation Engine and chagrined journalists. But no National Infrastructure Protection Office, no cybersecurity
-- George Smith, March 2002
The press couldn't get enough of Michelangelo.
But did it fall prey or save the day?
Originally published in the
Washington Journalism Review
At first glance, the story was a sexy one. The virus had an instantly recognizable name. It was attached to a specific date — March 6 — an attractive hook for editors with a penchant for calendar journalism. It was simple: On the birthday of its namesake, the virus would destroy data within the computers it had infiltrated through infected disks.
And it boasted big numbers: By one estimate, as many as 5 million IBM and IBM-compatible computers worldwide were going to be victims of Michelangelo, a relatively small computer code written and unleashed by an anonymous, devious programmer.
Newspapers around the country ran headlines warning of imminent disaster. "Thousands of PC's could crash Friday," said USA Today. "Deadly Virus Set to Wreak Havoc Tomorrow," said the Washington Post. "Paint It Scary," said the Los Angeles Times.
Weeks after M-day, many antiviral software vendors and some reporters still insist the coverage prevented thousands of computers from losing data. John Schneidawind of USA Today says "everyone's PC's would have crashed" had the media not paid much attention to Michelangelo. The San Jose Mercury News credited the publicity with saving the day.
One widely quoted antiviral vendor, John McAfee of McAfee Associates, says the press deserves a medal.
In reality, many of the predictions were suspect. Those making them, often computer security product vendors or closely related industry associations, usually stood to profit from the widespread coverage. And many reporters bit hard.
One vendor who played a key role was McAfee, one of the nation's leading antiviral software manufacturers and founder and chairman of the nonprofit Computer Virus Industry Association (CVIA). It was McAfee who told many reporters that as many as 5 million computers were at risk. He says he made the projection based on a study that the virus had infected 15 percent of computers at 600 sites. Both Reuters and the Associated Press sent the figure around the world.
McAfee says he didn't present it the way it was reported. "I told reporters all along that estimates ranged from 50,000 to 5 million," he says. "I said, '50,000 to 5 million, take your pick,' and they did."
But researcher Charles Rutstein of the International Computer Security Association (ICSA), a for profit consulting group, says even 50,000 was an exaggeration. Also widely quoted, Rutstein says he told reporters early on to expect no more than 10,000 computers infected worldwide. (There are more than 35 million computers in the United States alone, according to some estimates.) "Five million is just ridiculous, but the press believed it because they had no reason not to," Rutstein says now. "McAfee seems credible."
(McAfee responds that the ICSA and other critics are "fringe groups.")
"I never contacted a single reporter, I never sent out a press release, I never wrote any articles," he says. "I was just sitting here doing my job and people started calling." He maintains that the coverage of Michelangelo cost him money. "It was the worst thing for our business, short-term," he says. "We offer shareware [where users are trusted to pay], so we got tons of calls from non-paying customers.
"Before the media starts to crucify the antivirus community," he continues, "they should look in the mirror and see how much [of the coverage] came from their desire to make it a good story." But he adds quickly, "Not that I'm a press-basher."
Schneidawind's and AP's efforts after March 6 to track Michelangelo found only a few thousand afflicted computers worldwide, including 2,400 erroneously reported to be at the New Jersey Institute of Technology. The institute actually had only 400 computers infected with any virus; few had Michelangelo. A Philadelphia Inquirer reporter got it wrong, says institute spokesman Paul Hassen, and it spread quickly. "That was the first time I've been that close to a feeding frenzy," he says.
Perhaps the most embarrassed news organization was CNN, which on March 6 staked out McAfee's offices in Santa Clara, California, waiting for a doomsday that never came.
Soon after the clock struck midnight on March 6, may reporters seemed to suspect they'd been had. The Los Angeles Times, which had quoted McAfee's 5 million figure on March 4, carried a Reuters story three days later that reported the "Black Death" had turned out to be little more than "a common cold." AP downgraded its "mugger hiding in the closet" to a mere "electronic prank."
AP Deputy Business Editor Rick Gladstone says the wire service quickly downplayed the story after its initial reports and included comments from the ICSA's Rutstein, who said the threat from the virus had been exaggerated. "Our big oversight was to quote McAfee's 5 million figure in the beginning of the coverage but we backed off that," Gladstone says, adding that his staff "felt somewhat vindicated" when relatively few computers were affected on March 6.
"Some of us in the press were suckered," he says.
Schneidawind doesn't feel he was. "We went into this with our eyes open," he says. But on March 9, in an article entitled "Computer virus more fright than might" (the subhead was a more confident "Michelangelo kept at bay by early detection"), the USA Today reporter chronicled his frustrations tracking the virus. He reported that he had asked Rutstein and McAfee, again identified as the CVIA chairman, to provide a working sample of Michelangelo. Both declined. "It'd be like giving him a biological virus because he wanted to play with it," McAfee says.
McAfee was also "reluctant to divulge the names of companies struck by the virus" according to Reuters.
But he insists the numbers aren't as important as "the scope of the problem," which, he says the press largely ignored. "For the first time, you had large well-respected companies shipping the virus with their new computers and software. How did it filter into secure environments like that?"
Schneidawind agrees. "The estimates may have been overblown, but no one new for sure until the 6th," he says. "Consider the BCCI scandal, where everyone faulted the press for not being there. I'd rather err on the side of caution."
Schneidawind didn't seem to do that in a sidebar to his March 9 article in which he listed other computer pests poised to strike in March. Supplied by yet another antiviral software vendor, the list did not reveal that most of the bugs were either variants of the same root virus — known as Jerusalem — or rare species found only in eastern Europe. Like many others the story did not make clear that every week of the year is filled with trigger dates for numerous viruses. (Or that user mistakes destroy more data than viruses do.)
More importantly, only a handful of some 1,000 worldwide viruses are common enough that a user may occasionally encounter one. Of those, most only display silly messages or compel the computer to play a tune.
On March 6, Michael Rogers and Bob Cohn of Newsweek offered a post mortem to Michelangelo that warned readers to "beware the next round of computer viruses," including the Maltese Amoeba and "the scariest new virus ... the Mutation Engine." What they and others such as Ted Koppel of ABC's Nightline and John Fried and Michael Rozansky of the Philadelphia Inquirer failed to say was that the Maltese Amoeba had only been active in Ireland.
Moreover, the Mutation Engine isn't a virus at all, but an encrypting mechanism that virus-writers use to disguise their creations.
To their credit, neither The New York Times nor The Wall Street Journal gave much credence to Michelangelo. John Markoff of the Times in particular provided restrained, intelligent coverage that virtually ignored McAfee and other antivirus vendors. And The Journal's Walter Mossberg wrote a "Personal Technology" column that realistically appraised the viral threat as minimal.
For some soul, the coverage given to Michelangelo must have provided quite an adrenalin rush. It certainly did for the press.