Posted on Monday, April 17th, 2006 | Bookmark on del.icio.us

Inflammatory Accusations

by Jeff Nathan

I recently wandered into Ann Arbor’s (and the first ever) Borders Books & Music store where I came upon a magazine titled “Skeptical Inquirer - The Magazine for Science and Reason.” At the bottom of the magazine cover, I read the text “Published by the Committee for the Scientific Investigation of Claims of the Paranormal.” No offense to anyone (hey, I’m an Art Bell listener), but the two don’t exactly jive. The cover story, titled, “CYBERTERRORISM,” was contributed by the infamous Carolyn Meinel, and argues that claims made by the information security industry lead to the creation of the US National Infrastructure Protection Center (NIPC), thereby resulting in the US FBI diverting resources and attention away from counter-terrorism and instead focusing on counter-cyberterrorism.

The reason the article caught my eye is that it is truculent in its absurdity. It essentially argues that Richard Clarke - former Chair of the President’s Critical Infrastructure Protection Board, former special Advisor to the President for Cyber Space Security and former National Coordinator for Security, Infrastructure Protection and Counter-terrorism on the US National Security Council (NSC) - was so cut out of the intelligence loop that he relied upon congressional testimony by L0pht, overly hyped news media reports, and books claiming that the source of a solitary US military defacement was associated with Al Qaeda while he worked towards the creation of the NIPC. While the article is rife with references, some of the references are incomplete (such as missing page numbers within referenced books), others refer to political talking heads and yet others reference the work of individuals whose journalistic credentials are less than ethical.

The crux of the article is a claim that neither policymakers nor infosec professionals followed the scientific method in discussing the dangers of cyber-terrorism. While I firmly believe that policymakers themselves aren’t inclined to follow the scientific method in decision-making, they’re fortunate enough to have advisors and invited speakers that do follow the scientific method. Further, methods used by some of the authors to obtain information referenced by Meinel’s article are anything but scientific, such as the cited Ann Coulter article espousing reasons for pre-9/11 FBI investiation shortcomings. When compared to actual experts on the subject, Ann Coulter’s knowledge of the inner workings of the intelligence community and foreign policy are about as extensive as my knowledge of underwater basket weaving.

Members of the NSC include heads of both the FBI and CIA. The NSC is tasked with advising the President on intelligence issues. To argue that Clarke relied upon news media reports to find evidence to support the creation of the NIPC is also ludicrous. To even argue this is without application of the scientific method as it’s difficult, if not impossible, to measure what Clarke took away from his NSC meetings or from his day-to-day job duties. Given his level of involvement, I find it highly unlikely that media hype played any part in NIPC’s creation.

The first and most inflammatory claim within the article is that the NIPC-allotted budget was improperly spent, and that the budget itself somehow contributed to a lack of resources that ultimately resulted in the FBI failing to investigate the flight school attended by the 9/11 hijackers. Based on the General Accountability Office (GAO) report cited in the article, the article’s author claims that the NIPC’s anti-terrorism spending totaled US$ 4.9 million in 2000, of which $3 million was spent on office supplies. What the article fails to mention is that under the Federal Acquisition Regulation, information technology equipment (i.e. computers, of which the NIPC needed many) falls under the heading “Office Equipment.”

Several paragraphs paraphrase and recount news stories of people discussing the dangers of High Energy Radio Frequency (HERF) and High Power Microwave (HPM) weapons. If anyone in the US government ever gave credence to the threat of a civilian-developed HERF or HPM weapon, I’ll eat a McDonald’s hamburger and a slice of chocolate cake.* Ironically, an important point from the article was completely brushed over; a July 2001 train crash in a Baltimore tunnel that took out part of the routing infrastructure. More on that in a future posting.

Several professionals from the infosec industry are portrayed negatively and mentioned by name in the article - people I’ve worked with such as Mudge. Mudge’s (and by extension L0pht’s) congressional testimony is also discussed, specifically the famous quote in which Mudge talks about crashing the Internet in 30 minutes. Meinel’s claim with respect to testimony and information provided by industry experts is that they didn’t follow the scientific method and that their statements were nothing more than FUD intended to create hysteria. In reality, most skeptical minds consider Mudge’s statements to be much more rooted in fact than fiction. In all likelihood, Mudge was referring to severe, unreleased BGP vulnerabilities. Some five years later BGP was subjected to a thorough analysis in 2003. However, the period between 1998 and 2003 was an enternity in Information Security. Though an Internet scale failure didn’t occur during this time, it has nothing to do with the validity of the threat Mudge described.

The former NIPC is now known as the US Dept. of Homeland Security’s Information Analysis & Infrastructure Protection Directorate (IAIP). The need for IAIP is quite real, and to argue that its creation in some way substantially detracted from the ability of law enforcement to investigate before 9/11 is absurd. Based upon the cited GAO report, the combined 1999 and 2000 NIPC budget was primarily used to fund agents’ salaries, purchase $11.9 million in hardware and software, fund $3.3 million in field squad training and $12 million was used to fund contracts. Among the contracts listed are:

  • a foreign counterintelligence investigation (which I personally suspect to be Moonlight Maze)
  • InfraGuard
  • the development of an early warning system
  • research of existing Internet topology

The total FBI budget in 2000 was $3.231 billion. So, ultimately, the article (and by extension Meinel) is arguing that the expenditure of a paltry $28 million or approximately .009% of the FBI’s 2000 budget substantially inhibited FBI investigations before the 9/11 attacks. I sincerely doubt that to be the case. My copy of the 9/11 Commission Report contains neither an entry for IAIP nor NIPC in the appendix. While my search was cursory at best, I didn’t find a single citation made by the 9/11 commission themselves that refers to the IAIP or the NIPC.

* I’m into health and fitness and I don’t eat that junk.

This entry was posted on Monday, April 17th, 2006 at 1:34 pm and is filed under Critical Infrastructure, Legal, Other, Policy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses | Add your own



Comment Post by: tqbf — April 17th, 2006 @ 9:30 pm EST  Reply

It’s a testimony to your whatever-it-is that you were able to balance a blog post on the fulcrum of a credibility smackdown between Mudge and Carolyn Meinel, “The Happy Hacker”. And when did you work with him?

  • Jeff Nathan Says:
    April 18th, 2006 at 2:38 pm Reply to this comment

    Thanks for the comment, Tom. I like to think of the post as having been crafted with the delicate dexterity of Jason Garfield’s ten-ball juggling routine. We both know there wasn’t any actual credibility smackdown within the article. The relative absurdity of the claims made in the article simply caught my eye.

    As far as working with Mudge, you interact daily with Dave G. and Window; either of them could have reminded you that I worked for @stake in 2000 and 2001.

Comment Post by: mack23 — April 18th, 2006 @ 11:23 am EST  Reply

I haven’t read the Skeptical Inquirer in 20 years, but it was great back then. It’s main mission was to apply scientific methods to claims of the paranormal (which certainly does jibe, although admittedly it may not jive). Typically, articles would debunk claims that this or that could ‘only be explained’ by ESP, or that so and so ‘had to be’ a flying saucer, or that somebody “must” have special powers because they could, say, bend a spoon with “mind power alone”. Invariably, SI would use Occam’s Razor to slit the throats of the nincompoops requiring supernatural explanations to explain their observations.

Apparently, they’ve now trained their skepticism on government. While this is laudable in principle, it seems they need to strengthen their review process. Identifying instances of “government waste” is trivially easy, and saying that any given instance of such waste “is responsible” for some sort of bad outcome which would have cost less than the wasted amount to prevent is simplistic in the extreme. I’d view anyone that made such a claim with a very skeptical eye.

  • Jeff Nathan Says:
    April 18th, 2006 at 4:33 pm Reply to this comment

    Thanks for the note, mack23. This was the first Skeptical Inquirer (SI) article I’ve read, and the urge to comment on the note at the bottom of the cover page was irresistible. I listen to Coast to Coast AM all the time, and I don’t think all the guests are nutjobs…just some of them. So, I won’t pretend to look down on a magazine that has anything to do with the paranormal.

    I think most people working infosec are themselves skeptical inquirers. We’re open to the possibility of new things, we’re just very cautious of snake oil (i.e. skeptical).

    I’ll give SI its fair due by reading some of the other articles before making a truly harsh indictment of the magazine, if ever. From what you’ve explained, the cover story wasn’t exactly a shining example of its best material.

Comment Post by: Jeff Nathan — April 18th, 2006 @ 2:38 pm EST  Reply

Thanks for the comment, Tom. I like to think of the post as having been crafted with the delicate dexterity of Jason Garfield’s ten-ball juggling routine. We both know there wasn’t any actual credibility smackdown within the article. The relative absurdity of the claims made in the article simply caught my eye.

As far as working with Mudge, you interact daily with Dave G. and Window; either of them could have reminded you that I worked for @stake in 2000 and 2001.

Comment Post by: Jeff Nathan — April 18th, 2006 @ 4:33 pm EST  Reply

Thanks for the note, mack23. This was the first Skeptical Inquirer (SI) article I’ve read, and the urge to comment on the note at the bottom of the cover page was irresistible. I listen to Coast to Coast AM all the time, and I don’t think all the guests are nutjobs…just some of them. So, I won’t pretend to look down on a magazine that has anything to do with the paranormal.

I think most people working infosec are themselves skeptical inquirers. We’re open to the possibility of new things, we’re just very cautious of snake oil (i.e. skeptical).

I’ll give SI its fair due by reading some of the other articles before making a truly harsh indictment of the magazine, if ever. From what you’ve explained, the cover story wasn’t exactly a shining example of its best material.

Comment Post by: Jim Lippard — May 22nd, 2006 @ 1:45 pm EST  Reply

Jeff:

Interesting to come across your post on this topic–I’m an Arbor customer and a longtime SI reader whose reaction to the article you’re writing about was similar. I posted at length about Meinel’s article on my blog when I received that issue, and also submitted a letter to the editor which I understand will be published along with a response from Meinel. Should be interesting!

Comment Post by: Jeremy Anderson — June 5th, 2006 @ 10:49 pm EST  Reply

I read Ms. Meinel’s article with horror, and fired off a letter to the editor regarding her. I was informed that it was “too ad hominem” to print. I sent him a link to your page.

Comment Post by: Carolyn Meinel — June 6th, 2006 @ 6:06 pm EST  Reply

For those of you who do not have access to my article in the Skeptical Inquirer, here is the reference I gave to some of the complexities of taking down the Internet: Staniford, Stuart; Paxsony, Vern; and Weaver, Nicholas. 2002. “How to 0wn the Internet in Your Spare Time,” Proceedings of the USENIX Security Symposium 2002, http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html. This paper has been reviewed and cited by many other analyses. The main points made against it is that, even given an 0-day against Ciscos, it is even harder, not easier that the authors proposed. Clearly the top researchers in the field are united in disparaging Mudge’s claim he could take down the Internet by himself “with just a few packets” and it would take days for people to even find out what he did.

Nathan argues that exploitation of Border Gateway Protocol (BGP) must have been what Mudge had in mind. In Mudge’s defense, he never said this that I know of. In any case, the current standard, BGP-4, had long been in use in the core when Mudge gave his Senate testimony. (All bets can be off within a Autonomous System, but that’s another issue and another flame war.) To get an idea of the complexities of taking down the entire Internet via BGP-4, you are welcome to read these papers on various ways to do so:
“Understanding BGP misconfigurations,” by R. Mahajan, D. Wetherall, and T. Anderson, Poceedings of the ACM SIGCOMM Conference, Pittsburg, Aug. 2002,
“Pretty Good BGP: Protecting BGP by Cautiously Selecting Routes,” by Josh Karlin, Stephanie Forrest, and Jennifer Rexford. University of New Mexico Technical Report TR-CS-2005-37, October 2005, “Pretty Good BGP: Protecting BGP by Cautiously Selecting Routes,” by Josh Karlin,et. al., presented at the Fourth Annual Adaptive and Resilient Computing Security Workshop (ARCS2005), Nov. 2-3, 2005, http://www.cs.unm.edu/~treport/tr/05-10/pgbgp.pdf, “Listen and Whisper: Security Mechanisms for BGP,” by Lakshminarayanan Subramanian, Volker Roth, Ion Stoica, Scott Shenker, and Randy H. Katz. Presented at the Usenix First Symposium on Networked Systems Design, March 29-13, 2004,
“Security and Predictability: Two Missing Pieces in BGP,” by Lakshmi Subramanian, Workshop on Internet Routing Evolution and Design (WIRED), October 7-8, 2003, http://www.net.informatik.tu-muenchen.de/wired/position/lakme.pdf

As for FBI spending on counter-terrorism including all activities around the world, on Sept. 20, 2002, Michael E. Rolince, Special Agent in Charge of Counterterrorism, Washington Division of the F.B.I., testified before a joint hearing of the Senate and House Intelligence Committees that fewer F.B.I. agents in total were assigned to counterterrorism on Sept. 10, 2001 than in Aug. of 1998. See “TRACES OF TERROR: THE INTELLIGENCE AGENCIES; C.I.A.’s Inquiry On Qaeda Aide Seen as Flawed,” by James Risen, The New York Times, Sept. 23, 2002, Late Edition - Final, Section A, Page 1, Column 5. The Skeptical Enquirer story citation on domestic F.B.I. spending on counter-terroism comes, as shown in the footnotes to the article, from the “Report to the Subcommittee on Technology, Terrorism, and Government Information, Committee on the Judiciary, U.S. Senate: Critical Infrastructure Protection; Significant Challenges in Developing National Capabilities,” General Accounting Office, April 2001, GAO-01-323,. If this is not enough to be convincing, you can read the report of the 9/11 Commission, which goes into brutal detail about the FBI refusing to follow leads on al Qaeda because of refusal to spend the money on this low priority activity. Also you can read the pages I cited from “The Age of Sacred Terror,” by Daniel Benjamin and Steven Simon in which they argue quite cvogently that the FBI diverted money from terrorism to the hacker beat. These two men wwere staffers of Richard A. Clarke and therefore were clearly on the inside — as was the GAO and the Special Agent in Charge of Terrorism.

I rest my case.

Comment Post by: Jeff Nathan — June 12th, 2006 @ 8:18 pm EST  Reply

Carolyn,

The paper by Staniford, Paxon and Weaver discusses worm propagation and attacks, not focused attacks against the routing infrastructure of the Internet. The two are separate and distinct.

I believe it was former Senator Fred Thompson who asked the question that resulted in the now famous quote. The quote below comes from one of the few remaining sources providing any of the testimony, CBS News:

“I’m informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is tat correct?” Thompson asked.

“That’s correct,” replied Mudge, a frizzy-haired computer security expert. “Actually, one of us, with just a few packets,” he added, referring to bundles of data that flow across the global computer network.

He went on to describe generally a process to separate “the different major long-haul providers,” such as AT&T, so its network couldn’t exchange information with other major networks, such as MCI.

“It would definitely take a few days for people to figure out what is going on,” Mudge said.

After reading the account above it’s pretty clear that Mudge was explaining vulnerabilities in Internet routing to the unitiated (i.e. Congress). Mudge never made a secret that he was talking about BGP, to argue anything else is just silly at this point.

I’m not an expert in Internet routing and I’ve never claimed to be one. However, I do have the benefit of working with some experts in the field, Danny McPherson and Craig Labovitz and working for a company that’s in the business of BGP expertise. BGP security didn’t simply pop-up overnight, it evolved. I firmly believe that in 1998 it was every bit as vulnerable as Mudge suggested.

The interested reader might consider a more complete treatment of the topic by reading Practical BGP by Russ White, Danny McPherson, Srihari Sangli.

The timeline of the sources you’ve cited for information on BGP misconfiguration does not in fact detract from the L0pht claim. The earliest citation in the lot is August 2002; more than four years after the L0pht’s Congressional testimony. Again, this is an eternity in the development of Internet security technology.

As I stated originally, the budgetary considerations afforded to the NIPC (IAIP) were a drop in the proverbial ocean of the FBI’s budget. While the GAO report describes issues with the development of the NIPC, it specifically deals with electronic counter-terrorism, not the non-electronic variety. The GAO reports are clear in their accounting of the NIPC budget for fiscal years 1999 and 2000. To argue that the diversion of .009% of the FBI’s budget substantially contributed to an intelligence gathering failure, real or otherwise, is far fetched at best. The numbers do not stack up.

I spent $3.95 to read the New York Times article you cited so I could extract the quote you’re referring to:

Without forceful direction from the White House, American intelligence and law enforcement officials handling counterterrorism cases were frequently short of resources and often distracted by competing tasks. Michael E. Rolince, a senior F.B.I. official, told the Congressional committee last week that there were fewer F.B.I. agents assigned to counterterrorism last Sept. 10 than there had been in August 1998, at the time of the embassy bombings in East Africa.

If your assertion is that an FBI computer forensic analyst should have been reassigned to non-electronic counterterrorism, I have to question whether the two skillsets overlap, let alone converge.

Last, the cited NIPC report describes the FBI’s intelligence capabilities at the time to be limited. Quoting directly from page 43 of the report:

Although NIPC officials cited a need for more personnel, they also cited a need for personnel with more experience and expertise in computers, infrastructure operations, and intelligence analysis. NIPC officials said that most of the FBI employees assigned to the [Analysis and Information Sharing Unit] have had limited expertise in these areas and have lacked the skills necessary to perform the assigned functions. The FBI’s 1998-2003 Stratic Plan corroborated these assertions, noting that FBI analysts often have had little or no training in intelligence analysis and lack experience in the subject matter for which they are responsible.

The FBI staffed 153 intelligence analysts prior to 9/11 according to Janes Defence Review. Pre 9/11 the FBI was primarily a law enforcement agency.

Arguing that a small section of the FBI with a small budget and small staff compared to the rest of the FBI contributed to a lack of prior knowledge which ultimately lead to the success of the attacks is offensive on many levels. The most obvious of which is blaming everyone but the criminals responsible for the 9/11 attacks.

Comment Post by: Well Now — July 4th, 2006 @ 12:06 am EST  Reply

Great work, thanks.

I am, however, broken hearted. All this time I have thought so higly of Carolyn Meinel - not!

Comment Post by: goodie — November 6th, 2006 @ 5:30 am EST  Reply

Very entertaining issue. I haven’t heard of this one. It will be necessary to visit you on a thicket!

Leave a Comment