Vmyths.com



Hoaxes, myths,
urban legends

Columnists

Newsletter
signup


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Internet more valuable than a human life?

Rob Rosenberger, Vmyths co-founder
Wednesday, 11 August 1999 I SOMETIMES ASK the U.S. government for data via the Freedom of Information Act. I recently filed FOIA requests to see how the Air Force handled itself during the Melissa hysteria. To understand how the Air Force reacted, we need to understand the "INFOCON" system. The Secretary of Defense established it along the lines of the old "DEFCON" system and the more recent "THREATCON" system. The five basic stages of INFOCON go like this:
  • NORMAL means "no significant activity" — a theoretical optimum we cannot achieve if we accept 14yr-old hackers as a national security threat.
  • ALPHA means an "increased risk of attack." This includes "regional events occurring which affect U.S. interests," e.g. Kosovo. The military starts watching more closely for ping sweeps and website vulnerability probes.
  • BRAVO warns of a "specific risk of attack" against a computer, a military base, or a deployed squadron. Expected threats include a "significant level of network probes, scans or activities" for reconnaissance purposes. A website hack or denial of service attack has "no impact to DoD operations."
  • CHARLIE indicates five or more 14yr-old hackers joined modems to attack millions of soldiers, sailors, airmen, and marines. These attacks achieve "limited impact to DoD operations [with] minimal success, successfully counteracted." Attackers break into only a few websites which contain little or no nuclear weapons data. The military can still perform its mission.
  • DELTA signifies "general attack(s)" by the Russian mafia and/or the Melissa virus. These computer intrusions would "undermine [DoD's] ability to function effectively [and would create a] significant risk of mission failure." At this point the U.S. military must retreat from a battlefield littered with damaged PCs and smoldering mousepads. Bomb disposal units will deploy the Minesweeper game to locate unexploded Pentium chips.
"INFOCON DELTA" means the military treats the Internet as a battlefield, complete with damaged PCs and smoldering mousepads. Bomb disposal units will use the Minesweeper game to locate unexploded Pentium chips.
We used to take DEFCON seriously in the early days of the Cold War, but I doubt many military members know our current status now. Likewise, I'd bet a soda most military users don't know our INFOCON status right off the top of their heads. "Hang on, I'll ask the network guys down the hall..." I mailed FOIA requests to various Air Force units asking for (1) the INFOCON status each day from 15 March to 15 April and (2) a summary reason for any changes. A simple query, right? You'll love the responses:
  • HQ U.S. Air Forces in Europe: "computer users were in INFOCON Alpha for each day between 15 Mar 99 and 15 Apr 99. There was no change in the status."
  • HQ Air Intelligence Agency: refused to disclose their INFOCON status. "Unauthorized disclosure of such information could reasonably be expected to cause serious damage to national security. The document is currently classified."
  • 89 Comm Squadron: the presidential support unit passed the buck to HQ Air Mobility Command...
  • HQ Air Mobility Command: passed the buck to U.S. Transportation Command...
  • U.S. Transportation Command: refused to disclose such sensitive data, "the release of which would allow circumvention and substantially hinder the effective performance of a significant function."
  • AF Office of Special Investigations: couldn't respond due to a backlog of FOIA requests. (I half-expected this.)
HQ USAFE alone considered my request banal enough to disclose the answer. HQ AIA's excuse seems highly irregular -- personnel all over the base scribbled the INFOCON status on whiteboards and posted it at entryways during the Melissa hysteria. The decision to classify it at all makes no sense when you compare it to the daily THREATCON status. Do you want to know the chance of a terrorist attack at your nearby military installation? You can read the status a half-block before you reach the gate. Better yet, ask the delivery boys at a local pizza shop. I really do like the idea of an INFOCON. It makes sense to standardize the military's awareness of a threat, be it missiles or terrorists or bytes. It also makes sense to separate a computer threat from, say, a personnel threat. If a deployed Marine commander asked for the current status, an Air Force advisor might tell him "sir, we're in DEFCON Normal, THREATCON Bravo, INFOCON Alpha." It conveys useful news very quickly in a standard form. Yet to hear HQ AIA say it, INFOCON data is at least as sensitive as THREATCON data. Conclusion: an airman's Internet connection is at least as important as an airman's life. (Dreamsheet yourselves to Ramstein, guys. ASAP.)