Normal

One of the government contractors slurping up our tax money has a slick idea for how the Department of Defense can spot the next Bradley Manning before that yet-to-be-discovered individual steals classified information and makes it public. [1]

This is the mission:

…blue-sky research firm Darpa asked software engineers to design a system to sift through Defense Department e-mail, web and network usage for “anomalous missions” indicating that a user might intend to siphon sensitive information to unauthorized entities. The program is called CINDER, short for the Cyber Insider Threat Program.[2]

According to Wired, HBGary claims it can create the necessary software.

Data will be collected on employees while they work. This data will include what they do, where they go on the internal network and the internet, how and what they type, mouse movements, etc. Computer webcams trained on employees could be used to get snapshots and video. A lot of data would be accumulated and used to determine what is “normal”. Employees who deviate from Normal in particular ways would be flagged as potential Bradley Mannings.

HBGary’s proposal acknowledges: The only way to judge anomalous user behavior is to create a model for normal behavior; that in turn requires mapping normal behavior for the median user — which in the Defense Department’s case is millions of people.[3]

Got that?

Now, if you think this project is credible, that it makes sense, on any level, in any way, you need to think about it a little longer. Thirty seconds should be sufficient.

Pause here to think…

Now you get it, right?

And you didn’t need the whole 30 seconds, did you? A regular snake-oil scam if there ever was one. But of course, DARPA put out an RFP that said, in essence, “Please submit snake-oil scams…”

Snake-oil scams are entertaining for everyone in the audience who has paused to think for a few seconds.

I like this bit:

The only way to judge anomalous user behavior is to create a model for normal behavior…[4]

Let’s work on that, come up with a couple of situations where we can identify “normal behavior”.

Here’s one: Picture yourself as a striking, 20-something blonde female US Army master sergeant employed by the Department of Defense. You know the webcam built into your computer monitor may at any time (or all the time) be taking close-up still shots or video of you while you work. Is it normal or abnormal for you to put a Post-it note or piece of chewing gum over the camera?

Normal, of course. In fact, it’s normal for everyone to put a Post-it note over the camera, simply because people don’t like being spied on and photographed at close range without their permission. Of course, every now and then a smart aleck will take off the Post-it to make a rude gesture, stick his tongue out at the camera, or to pose for a few seconds wearing mirror shades and a Bedoin-style turban.

Smart aleck behavior at some level is normal, and the HBGary software would have the intelligence to treat it as normal. [5]

But that’s an easy one. Let’s try something a little tougher.

You’re still a DOD employee, male or female, age is irrelevant. Would it be normal or abnormal for you to start your day by typing “Bradley Manning for President”, or “a republic, if you can keep it”, or the NSA couch potato joke-of-the-day …with nothing but a black DOS box in focus? Nothing saved; nothing sent; just private keystrokes.

That behavior wouldn’t be average, but remember, what this cool Bradley Manning detection software must do is figure out what “Normal” is in such a way that an employee’s deviation from “Normal” isn’t just any deviation, but a particular kind of deviation — a deviation that indicates that person intends to steal and misuse confidential information.

In any sizable group of Americans it will be absolutely normal to find one or two, or several, who are passionately American. They are wary of government power, they believe the 4th Amendment was written because it really does happen that jerks get into government, and they detest unwarranted government invasions into the lives of free citizens. They strenuously object to government lawlessness, incompetence, corruption and stupidity.

Again, in a normal group of Americans, there will be a few passionate Americans — Americans who take their citizenship seriously.

So, out of, say, ten thousand DOD employees, it will be perfectly normal for some number of them to occasionally type unsaved, unsent messages on their keyboards — if they think they are being  studied for deviations from Normal — because they take the view that the only way those messages can be read is if the reader is an anti-American (domestic) enemy of the Constitution, and they like to send taunting, insulting messages to enemies of the Constitution and enemies of America.

“Wikileaks Rocks! (for your eyes only, Stooge)”

It’s perfectly normal for a group to have a few indiduals of that sort.

Now, switch roles: You’re the tax-money-slurping contractor. You’ve collected a ton of data on ten thousand DOD employees. Those employees know you’ve been watching them, testing whether or not they are Normal, collecting and saving data — keystrokes, mouseclicks, video, still shots, whatever — in order to analyze them in detail, as individuals who may or may not be Normal. Out of that ten thousand DOD employees, not one person, not a single American, has ever typed “Bradley Manning for President” or some such provocative thing into a DOS window.

Now you’ve really got a problem.

A normal group of ten thousand Americans should include a few history-conscious, passionate Americans with enough courage to resist, at least quietly, a spirit of anti-American stupidity.

Here you’ve got a group of ten thousand Americans that is not Normal.

What will you do with that group?

PB

[1] At the time of this writing, Bradley Manning is accused; he has not been convicted of any crime. Regrettably, in this period of American history, it is possible for an accused-but-not-convicted individual to be cruelly mistreated if he has the misfortune to be held by the Department of Defense.

[2] Wired. “‘Paranoia Meter’ Is HBGary’s Plot to Find the Pentagon’s Next WikiLeaker”. Spencer Ackerman. http://www.wired.com/dangerroom/2011/04/paranoia-meter-hbgarys-plot-to-find-the-next-pentagon-wikileaker/

[3] Ibid.

[4] Ibid.

[5] And snake oil is known to cure cancer.

Enemies

Bradley Manning has been charged with “aiding the enemy”.

The charges, filed Tuesday but not disclosed until Wednesday, are one count of aiding the enemy, five counts of theft of public property or records, two counts of computer fraud, eight counts of transmitting defense information in violation of the Espionage Act, and one count of wrongfully causing intelligence to be published on the internet knowing it would be accessible to the enemy. The aiding-the-enemy charge is a capital offense… [1]

I await with great interest the definition of “enemy” that will be used by prosecutors. As far as I know, the United States does not have any enemies. We are not at war with anyone.

We think and perhaps speak of al Qaeda as the “enemy”. We may think and speak of terrorists in general as the “enemy”. But that’s colloquial speech. In a court room, in a legal context, the word “enemy” must have a particular meaning. If you charge someone with “aiding the enemy” then for a start you’ll have to identify the enemy who received the aid.

Congress has not declared war on anyone, so identification of the “enemy” is highly problematic. Arguably, the definition is entirely subjective, in the eye of the beholder, as it were. Is bin Laden an enemy or a criminal wanted for conspiracy and murder? Will there be an effort to cast Wikileaks as an “enemy”? Is the New York Times an enemy, since the NYT has published material made available by Wikileaks? George Bush initiated a “war” (metaphor?) on “terror” (an abstraction, a word in the dictionary). Is it possible to give aid to an abstraction?

Anyway, I will be very interested to see how “enemy” is defined in the trial of Bradley Manning.

One thing to bear in mind:

The charge of aiding the enemy is a purely military charge from the Uniform Code of Military Justice, which applies only to service members. [1]

So, if aiding the enemy is a crime that can only be committed by members of the armed services, it’s entirely possible that “enemy” can be defined by the military in a way that only applies within the military. Let me clarify…

The United States, as a nation, does not have any enemies at present because our Congress has not declared war on anyone. But the military services possibly do have one or more enemies, determined in some way by the military. If the military wants to put someone belonging to the military on trial for “aiding the enemy” that can work because the military will define “enemy” — for itself, not for the nation.

If I’m correct that the military can define “enemy” in its own way, to support a charge of “aiding the enemy”, then logically, nothing prevents an enemy of the United States military from also being a good friend of the United States, a constitutional republic.

PB

[1] “Bradley Manning Charged With 22 New Counts, Including Capital Offense” http://www.wired.com/threatlevel/2011/03/bradley-manning-more-charge/

Wikileaks and Secrets

Reactions from the U.S. Government to the Wikileaks publication of diplomatic cables are puzzling. For instance, here’s a USMC memo published by Wired:

[W]illingly accessing the WIKILEAKS website for the purpose of viewing the posted classified material [constitutes] the unauthorized processing, disclosure, viewing, and downloading of classified information onto an UNAUTHORIZED computer system not approved to store classified information. Meaning they have WILLINGLY committed a SECURITY VIOLATION.[1]

If you’re a civilian with an appreciation for slapstick comedy, you can just laugh. But if you’re one of The Few, The Proud, etc., and you’re not accustomed to turning off your brain when you hear trite, throw-away phrases like “national security” you might not see the humor in this.

Step back and think about who this material, now published by Wikileaks, was kept secret from, back when it was secret. More broadly, what is the purpose of a secret, any secret? What is a secret for?

If I’m negotiating to buy a house, the absolute maximum price I’m willing to pay is something I will want to keep secret from the seller, with whom I’m negotiating. I really don’t care who else knows my max price. All of my family and friends — indeed, all of the seller’s family and friends — can know, as far as I care. I only want to keep knowledge of my max price from the seller himself, because he might change his behavior in our negotiations if he knows the price. He’s the one chap who can take advantage of that knowledge to cause me a problem by shaking a few extra dollars out of my pockets.

As a practical matter, I’ll need to keep the maximum price I’m willing to pay quiet from just about everyone, because if I make it widely known among those whose knowledge of it does not matter at all, there’s a greater chance that the one person I’m actually concerned about will find it out. I will keep this secret from the many only because I want to be sure it remains secret from the one.

What if the seller of the house somehow finds out my maximum price?

Well, that’s it. He knows. If he wants he can dig in his heels and hold out for what he knows I’m willing to pay. For me, it’s Game Over, as far as the secret of my max price is concerned. It’s no longer secret from the one person I wanted to keep it secret from.

But what about everybody else?

What about them? I never cared about everybody else knowing; why would I start caring now?

How about U.S. diplomatic cables? What if an American ambassador makes a remark about Mubarak and his associates in a cable, and that cable is “secret”?

Who is it secret from? Clearly, it’s secret from Mubarak and his associates, and probably from Mubarak’s opponents, and maybe Mubarak’s peers in the Middle East — quite a few people for sure, but not everybody. It’s secret from people who might alter their behavior in some way that is disadvantageous to the United States. It isn’t secret from a random Chinese peasant or an Inuit seal hunter. It isn’t secret from me, or from a United States Marine. In fact, it isn’t secret from tens of millions of people. For the vast majority of the population of earth it’s a matter of indifference if it’s known or not.

But as a practical matter, there’s no way the cable can be shared with peasants and seal hunters and me and the Marines and millions of others whose knowledge of the cable doesn’t matter, simply because dissemination among those from whom it’s not secret will increase the chance of it falling into the hands of someone from whom it is secret.

What happens if somehow (NYT, Washington Post, Wikileaks…) Mubarak and his associates find out the contents of the cable? Well, that’s it. They know… Game Over.

Is it ok now if U.S. Marines and Inuit seal hunters read the cable?

What a weird question. Why would it not be ok? It never was secret from them, except as a precaution against the cable reaching Mubarak & Associates. Mubarak has it. If they’re so inclined, seal hunters can translate it into Greenlandic, add an iceberg and a whale to spice it up a bit, and read it to their children as a bedtime story. Whatever.

What the Marine Corps leadership and the leadership of the U.S. Government in general don’t seem to understand is that it’s “Game Over”: The people the documents were being kept secret from have them, and there’s nothing to be done about that.

The “few” have the documents.

The practical need to keep the documents secret from the many in order to keep them secret from the few no longer exists. As far as all the people from whom the documents never were secret — employees of the Department of Defense, for instance — the documents are still not secret from them. Nothing has changed. It never mattered, really, if they saw the cables, and it still doesn’t matter.

PB

[1] “Pentagon to Troops: Taliban Can Read WikiLeaks, You Can’t”: http://www.wired.com/dangerroom/2010/08/pentagon-to-troops-taliban-can-read-wikileaks-you-cant/

Thank you, Wikileaks

In the recent public discussions of Wikileaks, I haven’t seen (though I could have missed it) any credit and congratulations given to Julian Assange’s organization for exposing the insecurity of the US Government’s SIPRNet. That exposure was an important service to the people of the United States, as well as to our hired help, the US Government.

According to the Pentagon, SIPRNet has approximately half a million users. Access is also available to a “…small pool of trusted allies, including Australia, Canada, the United Kingdom and New Zealand…”
http://en.wikipedia.org/wiki/SIPRNet

I don’t know if Wikipedia is right about the number, “half a million users”. I’ve seen quotes lately that claim a million users. But even if it’s a tenth of the Wikipedia figure – that is, 50,000 users — that is a sizable global network, and if data on that sizable network has value, it’s simply naive for someone to think data will not leak out — naive about networks and computers, and naive about people.

The bureaucratic position is, “But this network is locked down, not physically connected to the Internet, accessible only by people who are authorized, closely monitored… blah, blah, blah…” In a word, Naive.

Think about it: Here’s a network 1) with data that has value and 2) 50,000 or 500,000 or a million users. A network admin claims data will never be copied from the network for some unauthorized purpose…

That doesn’t even make sense.

But if you’re a bureaucrat without much knowledge of technology in general, or of networks and the internet in particular, and if you have little or no understanding of human nature, you might think it does make sense, which is sad for you at a personal level, but also bad for the people you work for. And it’s why you should thank Wikileaks for giving you the benefit of a little education.

The way data would normally be copied from a network like SIPRNet — the way it has been copied from SIPRNet in the past, we can assume — is secretly, without fuss, without fanfare. People with access to the network, and with particular interests, have quietly copied data by various means, to be delivered to persons with a shared ideology or religion, or to persons of whatever ideology, who are able to pay well, and pay in cash.

Wikileaks, by making SIPRNet data available publicly and with great fanfare, badly mauled the business models and espionage exploits of everyone who was already quietly copying data from SIPRNet for profit or for a cause. The network security clampdown, inspired by Wikileaks, will impact an unknown number of enterprises.

The outrage of the US Government at Wikileaks for making secrets public is probably echoed behind closed doors in obscure facilities in Iran, North Korea and elsewhere. But the outrage in the echo is not that Wikileaks made secrets public, but that Wikileaks made it public that secrets could be acquired from SIPRNet. Lots of secrets.

The Big Secret — that SIPRNet leaks — was leaked by Wikileaks, and we can be certain there are people of various nationalities who would rather that were not known.

Thank you, Mr. Assange. You’ve done us a favor.

PB

Al Jazeera

I recently discovered Al Jazeera news, via YouTube, in English.

http://www.youtube.com/user/AlJazeeraEnglish

I can’t compare it with other TV-style news outlets, like CNN and FoxNews, because I haven’t watched those. But Al Jazeera English is easily on par with, and in many ways superior to, The Wall Street Journal of our day, when it comes to coverage of world news, in both breadth and depth. The format is video, interview and discussion, so a comparison with print is not quite apples-to-apples. If you’re interested in keeping up with things going on in the world, Al Jazeera is worth following.

I subscribed to the Al Jazeera English YouTube channel and selected the option to get email alerts when something new is uploaded, so I get email for regular news updates, In Depth, 101 East, etc — all the Al Jazeera productions, I suppose. I don’t have time to watch many, but I can quickly click through emails and decide based on topic if it’s something I’m interested in. The emails have some basic description of what the video upload contains.

Their coverage of Sudan has been quite good — much better than the WSJ. Lately, I’ve watched informative shows about ETA, the Basque terrorist (a.k.a. “separatist”) group, how South Korea integrates North Korean defectors, the current Lebanese political crisis, Gbagbo vs Ouatarra in Cote d’Ivoire, Berbers in North Africa…

http://www.youtube.com/user/AlJazeeraEnglish

PB

Hallmarks of Shallow Thinking

The rabbi at one of the synagogues told the Journal that its website had been visited dozens of times recently by individuals located in Egypt. The episode underscores how crucial it is that U.S. intelligence be able to eavesdrop on email and phone conversations between people abroad and in the U.S., and in real time without having to wait for a warrant.

This is from an Opinion piece in the Wall Street Journal (October 31, 2010), “Hallmarks of al Qaeda,” which was published after the failed parcel bomb attacks on cargo planes.

Is it assumed that I will draw a conclusion from the fact that the website of one of the synagogues targeted has been “visited dozens of times recently by individuals located in Egypt”? Am I supposed to think, “…must have been terrorists, casing the joint” — and then congratulate myself on being a regular Sherlock Holmes?

Frankly, without context, I don’t know what to make of that information. It might be an interesting data point, but to know whether or not it’s interesting, we need more.

Note: “dozens of times” is not an exact number; “recently” is not a precise time frame.

In a typical week, looked at over the last 5 years, how many hits to the website come from Egypt? Was there a sudden jump in the number of hits from Egypt recently? In the past, have there been jumps in the number of hits from Egypt that didn’t correlate with a parcel bomb attack, or is this completely unique? How does the number of hits compare to other synagogues, or to other entities, like churches or mosques?

“Visited dozens of times” — are these unique visitors, or http requests? It’s important to know what is being counted. A single unique visitor to a single page might generate dozens of http requests in the log, depending on how the page is built.

The drift of reporting has been that these parcel bombs came from Yemen. What is the significance of Egypt in this context? Is it just that Egypt is, to a geographically illiterate readership,  “over there” where Yemen is? They aren’t in the same timezone, but it is probably less than 2,000 miles from Sana’a to Cairo, so I suppose you could say they are close, like Poland and Wales are close.

Is it that there are a lot of Muslims — and therefore potentially, a disproportionate number of terrorists — in Egypt? Were there recent visitors to the synagogue website from other places where there there might be terrorists, like Pakistan, or Gaza, or London, or New Jersey… or Chicago?

I presume the Journal editorial writer knows that the source IP of a website hit doesn’t say much about where the person looking at the the web page is sitting. And if that person doesn’t want his physical location known, the source IP says nothing at all, except perhaps that he’s not where the source IP is. Someone in Munich can vpn into a network in Egypt and his web requests, from the point of view of the website, will come from Egypt. And, by the way, are there TOR nodes in Egypt?

My point is that it’s silly for the Journal to throw out one piece that may or may not belong to a thousand-piece puzzle and expect intelligent readers to know whether the completed puzzle is an old man in a boat or the carcass of a leopard on Mount Kilimanjaro. And it is way beyond silly to propose that anything about this event “underscores how crucial it is that U.S. intelligence be able to eavesdrop on email and phone conversations between people abroad and in the U.S., and in real time without having to wait for a warrant.”

Warrants, among other things, prove there’s been some work done to ensure that “a person of interest” might really be up to something — not just that he appears to be in Egypt and browsed to a Chicago website. One reason, in my opinion, that the American 3-letter services want to avoid the warrant process and other controls that protect freedom, is that a large number of their employees are loafers, and protecting freedom while they try to catch bad guys is just too much like work.

Any guesses for what the ratio of false positives to real terrorists would be if U.S. Intelligence was not subject to law that prevents promiscuous snooping? Does anyone believe that promiscuous snooping would make it easier to catch real bad guys, who will, of course, change their comm channels as needed — from satellite phone to bicycle courier, or from in-the-clear email to 256-bit encryption?

U.S. “Intelligence” should just get off its obese government butt, quit whining about how it can’t do anything unless it can snoop on everything everyone is saying, and get to work.

PB

9ozAnXLL3BDe

unpolluted sprockets #1

One thing I like about Wikipedia are the little “citation needed” inserts reminding the reader, in effect, “Here we have a statement of fact which has been made without supporting evidence.”

For instance, this is from the Raytheon article[1]:

Raytheon Professional Services (RPS) is a global leader[citation needed] in training services and learning outsourcing for over 75 years.[citation needed]

Raytheon is the company where William J. Lynn III worked as a lobbyist before he was made Deputy Secretary of Defense in the current administration.

A citation doesn’t make the fact asserted true, it just means there is some kind of evidence for the assertion that anyone is free to check out. That evidence might be strong or weak, and the reader probably won’t bother to check it anyway, but the presence of a citation makes a statement of fact, in some way, verifiable.

In Foreign Affairs, essays are not required to have footnotes, much less “citation needed” flags, so in comparison to Wikipedia, the reading experience of FA is superficial.

In Mr. Lynn’s Foreign Affairs essay[2], “Defending a New Domain” he says this:

Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times.

Citation needed, right?

None supplied.

This sounds like a variation on the 6-million-attacks-a-day (on Department of Defense networks) assertion that is part of the template for people writing for or speaking to technically non-literate audiences. This example from Bill Lambrecht:

The new head of the U.S. Cyber Command, Gen. Keith Alexander, revealed this month that Pentagon systems are attacked 250,000 times an hour, 6 million times a day.[3]

No citation available for Mr. Lambrecht’s assertion either. Which is a shame, because I’d like to know if Gen. Alexander really said Pentagon systems are “attacked” 6 million times a day in some context I’m not familiar with, or if Mr. Lambrecht spiced up his column by carelessly swapping in the word “attack” for what Gen. Alexander really did say:

DOD systems are probed by unauthorized users approximately 250,000 times an hour, over 6 million times a day.[4]

I’ll bet that Gen. Alexander chose the word “probed” deliberately when he was speaking to CSIS, and I will further bet that he consciously avoided using the word “attack” in characterizing what was happening 250,000 times an hour, 6 million times a day to Pentagon systems. In his Senate confirmation hearing, Gen. Alexander specifically said that “probes” are not “attacks”.[5] For military guys, the word “attack” is loaded with all kinds of baggage completely unknown to those who use the same word in a network security context.

Another variation uses “targeted”:

When asked how often the federal government’s computers get targeted or probed each day, defense specialist Rep. Adam Smith, D-Wash., curtly responds: “North of a million times.”[6]

Here’s another:

The Pentagon’s top information-security official, Robert Lentz, said the Defense Department detected 360 million attempts to penetrate its networks last year, up from six million in 2006. [7]

Hmm… “Attempts to penetrate” DOD networks? How is a single attempt identified for the purpose of counting? When a Facebook scraper works for weeks putting together information for a spear-phishing attack on a Navy Admiral, to craft an email with a link in it he will foolishly click… Will all those http GETs and POSTs at Facebook and elsewhere, plus the email to the Admiral count as just just one attempt to penetrate a DOD network? With a number in the hundreds of millions, there must be an automated way of counting. How do they count? What do they count?

Mr. Lynn has some vague numbers, “thousands” and “millions”, for probes and scans respectively. But what is a “probe”? What is a “scan”? Do his IT guys parse router logs into “probes,” “scans” and “other,” based on what protocols are used, what ports are queried, what the source IPs are?

Gen. Alexander has more precise numbers for “probes” by “unauthorized users” (250,000/hour, 6 million/day). But what, pray tell, is an “unauthorized user”? If these numbers come from router logs, what distinguishes an authorized user from an unauthorized user?

Observe:

$ ping nsa.gov
PING nsa.gov (12.120.166.8): 56 data bytes
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3
92 bytes from 10.98.13.43: icmp_type=3 (Dest Unreachable) icmp_code=3

—-nsa.gov PING Statistics—-
46 packets transmitted, 0 packets received, 100.0% packet loss

I just pinged NSA at nsa.gov. DNS resolved the name to 12.120.166.8, but that IP doesn’t answer to ping so I get a “destination unreachable” response from a router closer to my NIC.

My ping put a line in a router log at NSA for an ICMP echo request from my IP that was dropped. Will that line count as a “probe” or is it counted as something else (like, “blog post demonstration”: – )? Since we don’t know what a probe is, we can’t know what kinds of IP traffic are not probes.

If my ping is a probe, it can’t count as coming from an unauthorized user. I authorized it myself, so I know it was authorized. But how will the light-starved gnomes counting probes deep in the catacombs beneath Ft. Meade know my ping was authorized? Do they flip coins?

Logs can be mined for data that will sort inbound traffic into “solicited” and “unsolicited” buckets (ICMP echo requests are always unsolicited, by the very nature of the protocol). But “authorized” and “unauthorized” categories have no technical meaning. Do they have any meaning at all?

Alas, the transcript for Gen. Alexander’s talk doesn’t have citations, so his “unauthorized users” just get stirred into the soup of nebulous terminology along with “attacks” and “probes” and “scans” and “attempts to penetrate” and “targeted computers” — and when someone who doesn’t know much about how the internet works, or about network security, wants to say something to impress an audience which also doesn’t know much… he just dips in a ladle and serves up a big helping of whatever soup mush happens to be near the top.

Probably, these people are talking about nothing more than what we think of as the Background Noise of the Internet, what Steve Gibson calls Internet Background Radiation.[8] Anyone who wants to watch random unsolicited packets from the Internet bouncing against a home router can see it. Dozens of log entries an hour. Unless it’s a hobby for you, you don’t watch. Router logs just aren’t that fascinating. Ten or 12 years ago IBR was interesting and something of a novelty for many people (me included). But now it’s just raindrops on the roof. Who cares?

Well, the lobbyists-presently-in-government and the lobbyists-presently-lobbying care, possibly because it looks to them like there’s a lot of unguarded money ready to be bagged and trucked off for those who can spin up a fun “cyber” story. The 6-million-attacks-a-day bit is how a good cyber story always begins, just like, “Gather round children and I’ll tell you about…”

You’re thinking, “Someone must have counted something; surely, if there’s a number someone, sometime, somehow must have counted something? Or if they didn’t count they had a statistically validated method of estimating?”

Ah… Wouldn’t it be nice to have a citation? — a reference to some document or web page to check, so we could see when the count was done (if it’s not ongoing), how it was done, what was counted, how the categories were defined…

Wouldn’t it be nice…

Here is the simple truth concerning the 6-million-attacks-a-day assertion, in all its protean forms:

No one has ever counted anything.

Sometime back in the 90s a low-level Pentagon beaurocrat named Winston Smith overheard a couple of techies from the server room talking about unsolicited packets in the logs — “…1,012 hits between 0100 and 0200 from who-knows-where…” and later that day, helping his report-producing boss prepare a report for some other report-producers, Winston did a quick calculation: “With 249 other offices big enough to rate an auto-grind coffee machine like ours, that’s 250 times 1,012… but just to be conservative, let’s say 1000… that’s 250,000 an hour… But what was it they called them? Unpolluted sprockets? That’s too technical…”

This morphed from an overhead projector transparency into a PowerPoint slide, was copied into another slide deck, then another, then it became part of the standard intro to hundreds of PowerPoint presentations, was copy-pasted into reports, repeated with a straight face at news conferences, adjusted to fit preferences for the nuance of one word over another (“probe” vs. “attack”), merged into the President’s telepromter stream… and in the course of time, came to be believed by a generation of those in the greater Washington government-and-contractor community: “…and so, children, that is how the rabbit lost its tail.”

None of the people quoted above could tell you one important difference between UDP and TCP, or between telnet and ssh, or how sha256sums are used to know when a file changes — technical concepts so basic that in 2010, they are arguably not even technical any more.

At a higher level, they don’t know why it is that the vast majority of network (a.k.a “cyber”) security challenges today, approaching 100%, come from solicited packets, not unsolicited raindrops-on-the-roof packets. If you probe Gen. Alexander, he won’t be able to tell you what a probe is, or how probes are counted. Given as much time as he likes to scan his notes, William J. Lynn III will not be able tell you the difference between a scan and a probe.

If you questioned them, even trivially, this generation of talkers and report-producers would not be able to define clearly and consistently their own words. And if President Obama brought the whole lumbering, obese government to a blubbery, wobbling halt, demanding to know, “Where does this 6 million probes a day number come from?” — no one would be able to tell him. Gen. Alexander would ask his staff, and they would turn around and ask their staffs and those staffs would, in turn, try to find and wake up their staffs… and no one would be able to find the original study or tell the President how and when it was done.

Because there was no study.

Winston Smith is currently working for a government contractor and may not be back in government proper for a year or two. He’s now an expert in Arctic tundra reclamation policy. He doesn’t even remember what word he thought was better than “unpolluted sprockets” back when he was a computer network security expert, before the government contractors rebranded network security as “Cyber” so they could jack up their per diems, scan congressmen for opportunities to fill white space in 1000-page bills, probe DHS with cybersecurity concepts, target DOD for billion dollar firewall upgrades, give those timid NSA loafers the willies with horror stories about unauthorized users, and attack the ongoing problem of how to move money out of the pockets of working people and into report-writing employment and lively conversation over drinks and good food at the finest dining establishments in Washington, D.C.

If there had been a count of something, none of the government/contractor people you see quoted in the papers and blogs would know what was counted, or how.

But the fact is, no one ever counted anything. Six million whatevers a day, 250,000 whatevers an hour, 360 million whatevers a year… it doesn’t matter. It’s all bogus. And I have a citation for that. –> [9]

PB

——-

[1] http://en.wikipedia.org/wiki/Raytheon
[2] Foreign Affairs, September/October 2010, “Defending a New Domain”
[3] Bill Lambrecht, LA Times, June 24, 2010, “U.S. is busy thwarting cyber terrorism — The government and defense contractors are in a constant battle against computer attacks” http://articles.latimes.com/2010/jun/24/business/la-fi-cyber-terrorism-20100624
[4] Gen. Keith Alexander, Director, National Security Agency, Commander, U.S. Cyber Command, Thursday, June 3, 2010, speaking to the Center for
Strategic and International Studies (CSIS)
[5] Sean Lawson blog post at Forbes.com: “Just How Big Is The Cyber Threat To The Department Of Defense?” Jun. 4 2010. http://blogs.forbes.com/firewall/2010/06/04/just-how-big-is-the-cyber-threat-to-dod/
This is not the only place that references Gen. Alexander’s testimony. Sean has also put together some interesting quotes that capture the muddled-terminology situation. What I’m prone to say with war-painted, spear-shaking unruliness, he conveys in a gentlemanly way: “The contradictions between this and previous statements of the threat, both by Alexander and others, combined with continued confusion over the definition of key terms, points once again for the need to more clearly articulate the cyber threat if we are to develop appropriate policy responses.”
[6] Joel Connelly, “Cyber attacks: The next big security threat?” Seattle Post Intelligencer, April 11, 2010 http://www.seattlepi.com/connelly/418225_joel12.html
[7] Yochi J. Dreazen and Siobhan Gorman, “U.S. Cyber Infrastructure Vulnerable to Attacks” Wall Street Journal, May 6, 2009. http://online.wsj.com/article/SB124153427633287573.html
[8] Steve Gibson, grc.com, SecurityNow, SpinRite, the Portable Dog Killer and other useful endeavors.
[9] http://pmbarry.wordpress.com/2010/10/30/unpolluted-sprockets-1/