Let’s cut to the chase. U.S. Deputy Defense Secretary William J. Lynn III wrote an op-ed for a commercial publication in which he claims a single USB thumb drive caused the worst military data breach in history. And according to Wikipedia, that one little USB stick led to the creation of the Pentagon’s new Cyber Command.

Why did it take this guy nine years to hear a “wake-up call”?

Breathless reports like this one say this single specific tiny little USB thumb drive got infected with agent.btz, a tiny little chunk of malware the antivirus world has known about since, what, 2008? Yet it took at least 14 months for the Pentagon to clean it up.

Come on, people — fourteen months?!? The antivirus experts dismiss agent.btz as banal, not brilliant.

I’ll bet it took so long only because it was a classified operation. This malware would have blown over in a week if DoD-CERT had issued an email saying “hey, there’s a new virus running around, please scan your PCs for agent.btz.”

{sniff} I can definitely smell a lot of groupthink here. Not to mention hype, which goes hand in hand with groupthink.

Lynn suffers from a short memory span. We know this because he thinks the Pentagon got “a wake-up call” when agent.btz slithered into classified networks. If Lynn’s brain had more RAM, he would recall the Melissa virus did EXACTLY the same thing in 1999. It infected classified U.S. networks at a depth & scope even I myself would label “impressive.”

“Rob, how do you know the Melissa virus invaded classified networks in 1999?” I know it because (here comes an atomic bomb!) I received an Air Force Outstanding Volunteer Service Medal for all the community service I provided to the U.S. intelligence community in the 1990s (back when Vmyths was known as the Computer Virus Myths Home Page). You can see the original framed medal, with citation, hanging on my wall in this video.

Did Gil Grissom lift a thumb­print off that USB thumb drive? I can’t wait to see an “FBI most wanted” poster with that finger­print on it…

I voluntarily wore my civilian hat countless times to quash the many virus hoaxes that raged deep within the U.S. intelligence community in the 1990s. Why did I wear my civilian hat when I could have worn my Air Force uniform? The answer is simple: most fools in the intelligence community won’t listen to DoD virus experts. So they called on me. A lot. And then they praised me with an Air Force Outstanding Volunteer Service Medal.

You know, I should plow through my personal email archives to see if Lynn got duped by a virus hoax in the 1990s. It wouldn’t surprise me if he did. His writing style exhibits just a hint of gullibility…

Okay, let’s get back on track. You can see I’ve got a healthy dose of skepticism over Lynn’s “Buckshot Yankee” revelation. And I’m not alone: Wired filed a story with the headline “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack.”

Waitaminit. GCN‘s breathless story includes the phrase “Lynn said Wednesday in a teleconference with reporters.” You mean to say he gabbed with the media on top of all the hype he wrote in an official capacity for a commercial publication? {sniff} I smell a book deal in the works when Lynn’s boss retires next year.

Memo to William J. Lynn III: an SES-4 nominated me for that Air Force medal, you know…

Dear Howard (may I call you Howard?),

Long time no talk. Waitaminit, when’s the last time we ever gabbed on a phone? You never call, you never write. But enough chit-chat. Let’s discuss your new chairman position at US-CERT.

An open letter to Howard Schmidt, a former White House cyber­space secu­rity advisor who returned to Wash­ing­ton as chair­man of US-CERT

We’ll begin with the obvious. As a whole, the antivirus industry dismisses CERT/CC as a naïve little sister who gets injured every time she tries to play football with her big brothers. I don’t make this claim lightly. Worse: the antivirus industry views US-CERT as the siamese twin to CERT/CC. I myself hold neither agency in high regard due to their co-dependent relationships with some of the dead wood at DHS.

Richard Pethia’s leadership at CERT/CC certainly annoys me — but I felt a lot better about US-CERT when you got tapped for the chairmanship. I’m an unabashed fan of yours and I ain’t afraid to admit it. Call me crazy but I like you. So if you don’t mind, I’d like to advise you on three big issues you should focus on during your tenure.

First, we need another roundtable meeting to bring government computer security analysts together with the Fortune 1000 CISOs. My sources say you’ve tried to bring the corporate sector to Washington at least since mid-2004 so they can (in your own words) “articulate to the government” where they see the role of government. You’ll head in the right direction with this effort and you need to keep it up. Ignore anyone who thinks otherwise.

You’ll notice I didn’t say “conference” and I didn’t say “computer firms.” You specifically need a roundtable meeting with the Fortune 1000 CISOs. The U.S. corporate sector as a whole needs to tell the government what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they collectively need from the government. Conversely, the feds must reveal what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they need from the corporate sector. This explains why you need to set up a roundtable meeting rather than a conference.

And remember! You bestow true legitimacy on a meeting when you invite a true critic. Notice I didn’t say “me” and I didn’t include Vmyths. Richard Forno (InfoWarrior.org) would make an excellent choice, for example. I can name other critics if he declines.

You & I travel in some of the same circles, so let me point out a major issue for your roundtable meeting. You know many CISOs incorrectly fear the U.S. Freedom of Information Act (FOIA). A roundtable meeting may help to allay those fears. Government analysts are experts at assembling and sanitizing intelligence data. Computer security analysis is a realm best left to the intelligence community. You must make this clear to the corporate sector.

(I just hope those government cyber-analysts will someday realize their pecking order within the intelligence community. “Who needs HUMINT when you can monitor IRC chat rooms?” Bah. You don’t even want to get me started about the SQL/Slammer threat briefing you & Richard Clarke received at the White House. “This mIRC log conclusively proves a hostile nation-state ordered its über-warriors to blow up western civilization right after they finished the evening shift at Taco Bell!” Sheesh. I just hope you didn’t fall for such a shoddy intelligence briefing. Ah, but I digress…)

Second, US-CERT must continue to strive for a standard naming convention for viruses & worms. The industry’s historic lack of concern (and I do mean “lack of concern”) has reached a crucial point — not within the antivirus industry, but within the industry’s customer base. Critics want a single standard name for each virus. Customers want it, too. The U.S. government is a big antivirus customer. You gotta throw enough bucks at MITRE.org so they can get this project off the ground.

Trust me, Howard. Antivirus firms are lazy beasts. If Washington comes up with a virus naming convention, the global antivirus industry will moan & groan, but they will embrace it. And then they’ll usurp credit for it. But hey, that’s life.

Third, you need to reiterate the threat posed by our “blind trust in software firms,” as you yourself so eloquently put it. You’ve pointed out the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation. This time, deep within US-CERT, you also need to point out how U.S. antivirus firms armed China for years under our very noses. Members of the antivirus industry now arm Cuba with viruses and they almost certainly arm North Korea, too. (Let’s hope your intelligence analysts already knew this.) We’d never trust some of these virus experts with the combination to a GSA safe, yet we blindly trust them to protect top secret government PCs. There’s something wrong with this picture and you know it.

Okay, now you know the three big issues you should focus on during your US-CERT tenure. Time for me to ramble incoherently for the next few paragraphs.

Amit Yoran struck me as an optimist who felt our top bureaucrats wanted to protect corporate infrastructures from suicide hackers. Neither you nor I (yet) subscribe to this view. We both realize the top bureaucrats need to nitpick over the political apparatus before they can police our corporate infrastructures. The bureaucrats lost sight of their true mission when they started fighting over turfs & budgets.

This explains why Amit Yoran resigned in frustration. He went to D.C. to guide cyber-security initiatives when in fact he should have guided the apparatus. Yoran was the wrong man for the job.

Poland’s Lech Walesa faced the same kind of problems you faced at Microsoft. Each apparatus needed someone to bring it back into focus. Granted, neither you nor Walesa got the credit you deserved for pulling the apparatus together during your tenures. But hey, you both realized what needed to be done and you did it. You were the right men for the job. This puts you above Amit Yoran.

Just remember: you’re starting over again and you’re quite a bit lower on the food chain this time around. Good luck.

So! Let’s end this on an upbeat note, Howard.

Your CERT/CC counterpart, Richard Pethia, missed Melissa‘s ultimate lesson in 1999. The antivirus industry dismisses him as a myopic figurehead — but they don’t dismiss you so far as I know. To be specific, you helmed Microsoft’s security teams at the turbulent beginning of real change. More to the point, I know for a fact your teams recognized Melissa‘s ultimate lesson the day it struck. Just be sure to get your virus expertise from real virus experts. (And I don’t mean myself.)

That’s it for me. Hope you enjoyed the holidays. Your unabashed fan, Rob.