CommsWorld March 4, 2004
Confusion and Paranoia
By Richard Chirgwin
Last October, I reviewed Dan Verton's Black Ice for the print version of CommsWorld . Looking over the continuing uncritical endorsement the book gets, I've decided to post the review here.
My reason is simple: the level of debate about cyberterror is appallingly poor. It's impossible to balance security, reasonable cost, and the rights of the citizen when people are convinced there are digital reds under the bed.
Review: Black Ice
Americans have a great love for apocalyptic books, and have done for years. Whether it's the current revival in writing up how today's events match the end-of-the-world predictions from Revelations, or the period from the 1960s to the 1980s in which imminent nuclear war was confidently forecast on a regular basis, American publishing loves the end of the world.
The new apocalypse is, according to American journalist and former intelligence officer Dan Verton, going to happen online – and, as has been the case since the days of “duck and cover”, America is unprepared.
Verton's book, Black Ice – the Invisible Threat of Cyber-Terrorism , comes with impressive endorsements (starting former presidential advisor Richard Clarke, who last year predicted that terrorists could send the air traffic control system black over the Internet), but it presents CommsWorld with problems as a review specimen.
While the premise is sound – IT security is a national security issue – I don't believe that an exaggerated and distorted view of security helps the debate; but to make my case properly, I would need to reproduce more of the book than copyright laws allow.
Still, we'll do the best we can…
Black Ice starts on formula, with Verton presenting a fictional scenario in Chapter 1 to give readers a good scare. Readers who are old enough might remember the “nuclear holocaust” scenario-books of the eighties – “If a 5 megaton device were detonated at the Sydney Opera House, all people living in the red circle would be killed instantly”…
So it is with the fictional first chapter. It posits what would happen if there were a mass-scale, widespread, co-ordinated series of terrorist strikes in America, far beyond the September 11, 2001 attacks.
Verton then picks up the story in the second chapter, “Black Ice: Cyber-Terrorism's Hidden Dangers” , which reports on exercises such as the Department of Energy/Utah Olympic Public Safety Command operation conducted in 2000 (from which the book derived its name); and another exercise in June 2002 called Blue Cascades.
Both were exercises designed to analyse infrastructure dependency in America – determining what impact electricity disruption would have on telecommunications, how electricity supply needs telecommunications and gas, and so on.
If, as it appears from Verton's report of the exercises, American public safety officials were unaware of how interdependent the infrastructure has become, then it's no surprise that the exercises horrified their sponsors – because interdependency has become a recurring theme in the world of cyber-security.
Swallow the Little Pills First
This chapter sets the tone in another way: it shows enough things you know to make you believe the things you don't know. The book leverages what an IT-savvy reader already knows or believes is possible, using that to drag us into a deepening vortex of fear and threat.
From the `reality' of the Black Ice and Blue Cascades exercises, we're carried into what, for much of what remains of the book, is a hodge-podge of real threat, surmised risks, exaggeration, and a peculiar form of self-aggrandisement by which the `source' Verton cites most frequently is…
…himself.
On 65 separate occasions, the source to which a footnote refers is Verton's own work.
Now, I'm not familiar enough with Verton's work to know whether he's a source worth citing. That's not the point: at issue, in my opinion, is how the plentiful citations give an impression of research to what is all-too-frequently re-hash.
And the rehash suffers when, as frequently happens, Verton lapses into technical howlers inspired by his willingness to believe experts without seeking a second opinion.
Take this passage, for example, in which Verton falls into the IT journalist's habit of single-sourcing his information (in this case, Oyster Optics' CEO Seth Page):
“Optical taps placed in public and private optical networks would allow unfettered access to all communications and information transmitted across the fiber backbone, according to Page. “Available cheap and legally worldwide from various manufacturers, optical taps currently provide an excellent method of intercepting such data with virtually no chance of being detected and therefore a very low-risk chance of the intruder being caught,” according to Page. More importantly, most optical network equipment manufacturers and carrier networks do not incorporate protection and detection technologies to monitor such network breaches in real time, nor safeguard the optical signal, and therefore cannot hinder the extraction of sensitive data.”
Note that hinted criticism of lawmakers – optical taps (which have legitimate uses in research and in the field) should not be "legally" available.
Later, Page defines the optical taps he's talking about: “In reality, All that is required to extract all of the information travelling through an optical fiber is to introduce a slight bend into the fiber, or clamp onto it at any point along its length, and photons of light will leak into the receiver of the intruder.” (p124-125)
Well, in swallowing this stuff without chewing, Verton has strayed into CommsWorld's home turf, so I'd like to set a couple of points straight. The technique for tapping has been known for more than ten years – it was in the late 1980s when I was present at an ACOFT conference in Sydney, at which a researcher outlined the theory of tapping optical fibres.
To tap an optical fibre, you have to have access to the fibre itself – not to the cable's outer sheath, or whatever armour might be in the cable to make it strong enough to pull through tunnels, nor even the immediate plastic sheath that encases the glass. All of that stuff has to be stripped away to provide access to the hairthin fibre itself, before the fibre can be bent and tapped.
Better tools mean it's easier to do this than it used to be - but if the terrorist were to mishandle the delicate fibre, he won't install a tap, he'll break it, which won't yield much useful stolen data.
Having neglected to mention these details, it's no surprise that Page also overlooked the existence of products like OTDRs, whose precise and long-standing purpose is to let engineers and technicians in a telecommunications carrier test the condition of a fibre, locate breaks, and look for anomalies in the cable's behaviour (such as unexpected signal loss or changes in optical impedance).
But carriers, it seems, don't know about OTDRs.
Industrial Control
It's easy to suspect that Verton not only knows he's discussing technology beyond most of his target readership; he's also prepared to exploit that ignorance to magnify the reader's perception of the threat.
SCADA (supervisory control and data acquisition – using computers to control industrial processes), for example, is treated as a recent development. It's not, of course: it's been a topic I've written about from time to time for my entire 15 years as a journalist. Either Verton thinks we don't know about SCADA – probably true for many readers – or it's a recent discovery for the author.
Or there's the way he frequently either combines his threat – treating the switched telecommunications network as subject to the same vulnerabilities as the Internet.
Or there's the way in which one technology is needlessly divided to impress the reader (what's the difference between a radio signal, a wireless signal and a satellite signal? I don't know, but Verton thinks there is one).
Pulse Bombs
The obfuscation of technical detail becomes nearly farcical in the discussion of pulse weapons. Verton cheerfully starts with data collected in a nuclear test in the Pacific, which caused pulses 800 miles away; and from this he infers what can be done with an EMP weapon in a suitcase.
Well: I once went into pulse weapons in great detail with local researcher and defense commentator Carlo Kopp. His paper on pulse bombs was a huge hit; it was criticised in the US Congress for violating military secrets (because physics is a military secret); and both he and I had years of e-mails from out-of-the-way places asking us for more detailed designs.
The articles can be found in the December 1996 and January 1997 issues of Open Systems Review ; and have been updated for publication at www.globalsecurity.org.
What you can do with a nuclear weapon, and what you can do with a serious pulse bomb (which doesn't yet exist), do not provide a basis for predicting what you can do with a suitcase. Whatever else happens, there's the inverse square law to deal with: a pulse that destroys at 10 metres would, at best, disrupt at 100 metres and is useless at 1km.
Where he's not scrambling technology, Verton is wandering around people he knows in the intelligence and security communities and endorsing whatever they have to say.
And here lies Verton's greatest problem: he's conducted most of his research among like-minded people, so he's not inclined to treat their statements with any scepticism.
From the outside, though, it's clear that most of Verton's best sources have something to sell – products, services, egos, agendas, or budget proposals.
Most Verton's sources (other, of course, than himself) are security consultants with services to promote; hardware or software vendors with products to sell; crackers and black-hats; or members of the US government-sector security community.
It doesn't take much imagination to suspect a consultant or a vendor of drumming up business; a hacker of big-noting his capabilities; or to think that a manager of a public service agency would like more money.
Dissent is distinctly unwelcome in this world: “media accounts … are often filled with officials who are trying to talk people out of their fears”, he asserts – with none of the extensive self-citations he uses to back up supporters.
Dissidents are dismissed not with evidence but with a sneer. They are wrong not because they mistake their facts, but because skeptics [sic] are “those who believe naively that terrorist-sponsored cyber-attacks are a thing of fantasy”.
There's no middle ground, here: if you don't believe in my fantasy, you're living in your own.
A capable editor would probably have helped, but it would not be easy to find an editor skilled in both book publishing and this degree of technical intricacy.
Contradiction
The book would be better were it not for Verton's habit of contradicting himself.
In Chapter 3, “Terror on a Wire”, Verton spends a lot of effort convincing us that the electricity grid is just as vulnerable to "catastrophic" Internet-based attacks as to physical attacks. However, in his enthusiasm to dismiss criticism, he writes of the often “subtle effects that such attacks and disruptions can and almost certainly will have.”
So Al-Quaida is able to cause a "subtle catastrophe" in America's power grid…
Another (page 182): “the intelligence community's secret intranet … in about 125 posts around the world … allows intelligence analysts in the US to tap into the unique insight of Foreign Service officers”. The “secret” intranet is also described in the book as AOL, Yahoo and MSN rolled together and linked to classified data [emphasis added by CommsWorld].
That's an extraordinary amount of detail about a secret intranet, isn't it?
Or there's his dismissal of an NSA manager, William Black Junior, on the basis that he was a career NSA veteran who only spent three years in the private sector.
That's similar to the CV of one of the author's primary sources: “Richard Clarke, former chairman of the President's Critical Infastructure Protection Board and the de facto cybersecurity czar, spent his entire career in the national security arena”, Verton writes ( CommsWorld's italics).
For five chapters, we're told that America is ill-prepared, but one of the architects of that ill-preparedness is still fit for quotation. Here's how Verton cites the CV of Ed Badolato, “principal architect of the US government's readiness and response plan” from 1984 to 1989.
So one of the people who helped create an ill-prepared America is now a trusted source of information for Black Ice.
Contradictions are amusing, but not when they're the basis for what amounts to a long polemic: clichés to frighten simpletons rather than an explanation for why “cyber security is important to every American.”
Genuine Debate
I'm no blithe spirit when it comes to Internet security: there's plenty not to like about the way companies and governments misuse the Internet and expose themselves and others.
But debates can only rest on facts. A pop-tech fanzine frightener offers nearly no contribution at all.
Black Ice: The Invisible Threat of Cyber-Terrorism, by Dan Verton. Published by McGraw Hill.
© Copyright 2004, CommsWorld
