I’ve written on computer security hysteria for twenty years and I can tell you this: the U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

The problem isn’t in the size or the scope of the numbers. Rather, the feds can’t settle on a ballpark figure and they refuse to show their homework. I believe the former problem stems from every bureaucrat’s desire to mouth their very own brown-tinged guesstimate … and we know the latter problem stems from every bureaucrat’s desire to overclassify their use of public domain knowledge sources.

Obama’s intel chief can do nothing more than quote wild dollar values spouted by two com­panies — one of them not even involved in eco­nomic assess­ments.

The latter problem encourages a bizarre situation that begins when Fearmonger “A” confidently gives reporters a number he pulled out of his butt, and no reporter calls him on it. Fearmonger “B” reads it in the newspaper and says “I’ll use the number from ‘A’ as my own ballpark figure,” and no reporter calls him on it. Fearmonger “C” reads both numbers online and says “I’ll average the numbers from ‘A’ and ‘B’ when I give lectures,” and no reporter calls him on it. Fearmonger “D” finds those three numbers in a Wikipedia citation and says “I’ll normalize the values from ‘A’ and ‘B’ and ‘C’ in my master’s thesis,” and his professor doesn’t force him to disclose where the “raw data” came from…

For the very longest time — and by that I mean for well over a decade — no one bothered to collect empirical data for their guesstimates, not even the feds. But hey, a complete lack of data never stopped bureaucrats from pulling numbers out of their butts and using newspaper stories as their primary source of expertise. Pray tell, who can forget White House cyber czar Richard Clarke’s famous flip-flop before a senate sub­committee in 2002?

We estimate that last year alone, $12 billion were required to clean up the mess from [cyber] attacks in the U.S. economy…

And yet we don’t know that officially, and I can’t tell you officially the names of these banks and companies that were hit, because the only way we know is through the rumor mill.

Let me repeat myself, folks. The U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

Okay, so now along comes Barack Obama with his “open” government. He picks Dennis Blair as his top intelligence advisor. Blair gives his first congressional briefing almost seven years to the day after Richard Clarke’s famous flip-flop. What kind of numbers does Blair’s solar calculator yield?

“Ferris Research estimates that the total cost of spam and all of the types of fraud that take advantage of spam’s impact is $42 billion in the United States and $140 billion worldwide in last year, while McAfee estimates that global companies may have lost over $1 trillion worth of intellectual property to data theft in 2008.”

I, uh … well, okay: I expected Blair to pull numbers out of his butt. Instead, he all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces. The mighty Blair himself can do nothing more than quote wild dollar values spouted by two companies—

—one of them not even involved in economic assessments. What’s wrong with this picture?

We’re talking about the new head of U.S. intelligence, a career naval leader with underlings who knew well enough to publish a detailed Congressional statement less than a month after he took the oath of office. And yet these underlings couldn’t muster up the nerve to ask the Commerce Department for authoritative figures from a government statistician with a PhD in economics?

We’re getting bad intelligence from the head of U.S. intelligence, folks. And bad intel is worse than no intel at all.

I wish someone on the committee had asked Blair how McAfee derived that $1+ trillion guesstimate. The transcript of his response might read something like this:

“Well, uh, you see, these guys, they— they analyze malicious software code all day long. And I imagine a lot of the damage was caused by the offensive cyber warfare technology that McAfee freely turned over to the Chinese government right under our very noses. So, um, they’re eminently qualified to be global claims adjusters. If I was, you know— an, an insurance firm, and these ‘combat coders‘ at McAfee told me that I owed the world over a trillion dollars— I’d certainly be inclined to believe the accuracy of their figures…”

Obama took office on a mandate to “change” government. And yet he picked an intelligence director who takes computer security rhetoric at face value. That’s straight-up status quo, folks.

Memo to Dennis Blair: I cannot believe you cited McAfee. Seriously, Admiral: your underlings let you down. Ask the NSC to brief you on McAfee’s deep involvement in arming China with cyber smallpox technology. You’ll discover the NSC called me in March 2001 for details. Called my home. At 7am…

Dear Howard (may I call you Howard?),

Long time no talk. Waitaminit, when’s the last time we ever gabbed on a phone? You never call, you never write. But enough chit-chat. Let’s discuss your new chairman position at US-CERT.

An open letter to Howard Schmidt, a former White House cyber­space secu­rity advisor who returned to Wash­ing­ton as chair­man of US-CERT

We’ll begin with the obvious. As a whole, the antivirus industry dismisses CERT/CC as a naïve little sister who gets injured every time she tries to play football with her big brothers. I don’t make this claim lightly. Worse: the antivirus industry views US-CERT as the siamese twin to CERT/CC. I myself hold neither agency in high regard due to their co-dependent relationships with some of the dead wood at DHS.

Richard Pethia’s leadership at CERT/CC certainly annoys me — but I felt a lot better about US-CERT when you got tapped for the chairmanship. I’m an unabashed fan of yours and I ain’t afraid to admit it. Call me crazy but I like you. So if you don’t mind, I’d like to advise you on three big issues you should focus on during your tenure.

First, we need another roundtable meeting to bring government computer security analysts together with the Fortune 1000 CISOs. My sources say you’ve tried to bring the corporate sector to Washington at least since mid-2004 so they can (in your own words) “articulate to the government” where they see the role of government. You’ll head in the right direction with this effort and you need to keep it up. Ignore anyone who thinks otherwise.

You’ll notice I didn’t say “conference” and I didn’t say “computer firms.” You specifically need a roundtable meeting with the Fortune 1000 CISOs. The U.S. corporate sector as a whole needs to tell the government what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they collectively need from the government. Conversely, the feds must reveal what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they need from the corporate sector. This explains why you need to set up a roundtable meeting rather than a conference.

And remember! You bestow true legitimacy on a meeting when you invite a true critic. Notice I didn’t say “me” and I didn’t include Vmyths. Richard Forno (InfoWarrior.org) would make an excellent choice, for example. I can name other critics if he declines.

You & I travel in some of the same circles, so let me point out a major issue for your roundtable meeting. You know many CISOs incorrectly fear the U.S. Freedom of Information Act (FOIA). A roundtable meeting may help to allay those fears. Government analysts are experts at assembling and sanitizing intelligence data. Computer security analysis is a realm best left to the intelligence community. You must make this clear to the corporate sector.

(I just hope those government cyber-analysts will someday realize their pecking order within the intelligence community. “Who needs HUMINT when you can monitor IRC chat rooms?” Bah. You don’t even want to get me started about the SQL/Slammer threat briefing you & Richard Clarke received at the White House. “This mIRC log conclusively proves a hostile nation-state ordered its über-warriors to blow up western civilization right after they finished the evening shift at Taco Bell!” Sheesh. I just hope you didn’t fall for such a shoddy intelligence briefing. Ah, but I digress…)

Second, US-CERT must continue to strive for a standard naming convention for viruses & worms. The industry’s historic lack of concern (and I do mean “lack of concern”) has reached a crucial point — not within the antivirus industry, but within the industry’s customer base. Critics want a single standard name for each virus. Customers want it, too. The U.S. government is a big antivirus customer. You gotta throw enough bucks at MITRE.org so they can get this project off the ground.

Trust me, Howard. Antivirus firms are lazy beasts. If Washington comes up with a virus naming convention, the global antivirus industry will moan & groan, but they will embrace it. And then they’ll usurp credit for it. But hey, that’s life.

Third, you need to reiterate the threat posed by our “blind trust in software firms,” as you yourself so eloquently put it. You’ve pointed out the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation. This time, deep within US-CERT, you also need to point out how U.S. antivirus firms armed China for years under our very noses. Members of the antivirus industry now arm Cuba with viruses and they almost certainly arm North Korea, too. (Let’s hope your intelligence analysts already knew this.) We’d never trust some of these virus experts with the combination to a GSA safe, yet we blindly trust them to protect top secret government PCs. There’s something wrong with this picture and you know it.

Okay, now you know the three big issues you should focus on during your US-CERT tenure. Time for me to ramble incoherently for the next few paragraphs.

Amit Yoran struck me as an optimist who felt our top bureaucrats wanted to protect corporate infrastructures from suicide hackers. Neither you nor I (yet) subscribe to this view. We both realize the top bureaucrats need to nitpick over the political apparatus before they can police our corporate infrastructures. The bureaucrats lost sight of their true mission when they started fighting over turfs & budgets.

This explains why Amit Yoran resigned in frustration. He went to D.C. to guide cyber-security initiatives when in fact he should have guided the apparatus. Yoran was the wrong man for the job.

Poland’s Lech Walesa faced the same kind of problems you faced at Microsoft. Each apparatus needed someone to bring it back into focus. Granted, neither you nor Walesa got the credit you deserved for pulling the apparatus together during your tenures. But hey, you both realized what needed to be done and you did it. You were the right men for the job. This puts you above Amit Yoran.

Just remember: you’re starting over again and you’re quite a bit lower on the food chain this time around. Good luck.

So! Let’s end this on an upbeat note, Howard.

Your CERT/CC counterpart, Richard Pethia, missed Melissa‘s ultimate lesson in 1999. The antivirus industry dismisses him as a myopic figurehead — but they don’t dismiss you so far as I know. To be specific, you helmed Microsoft’s security teams at the turbulent beginning of real change. More to the point, I know for a fact your teams recognized Melissa‘s ultimate lesson the day it struck. Just be sure to get your virus expertise from real virus experts. (And I don’t mean myself.)

That’s it for me. Hope you enjoyed the holidays. Your unabashed fan, Rob.