[Published in the Skeptical Inquirer, vol. 30, no. 4, July/August 2006, p. 62.]

Cyberterrorism, Hoaxers, and Policymakers

Carolyn Meinel ("Hoaxers, Hackers, and Policymakers," March/April 2006) is right to conclude that we should be wary of unsubstantiated claims from "self-described computer security researchers," but her article itself makes unsubstantiated claims. She argues that the testimony of "Dr. Mudge" (Pieter Zatko) and fake hacker "Se7en" ("Christian Valor") before federal policymakers about "a looming electronic Pearl Harbor" may have been a cause of two events for which she provides no evidence of a connection.

The first, a possible FBI sting operation, in which Khalid Ibrahim, a member of Indian separatist group Harkat-ul-Ansar, paid $1,000 to "Chameleon" (eEye Digital Security's Chief Hacking Officer, Marc Maiffret), is described fairly accurately in two books which Meinel says "hyped the raid to say that hackers were in league with al Qaeda." Neither Adam Penenberg and Marc Barry's Spooked: Espionage in Corporate America (2001, Perseus Books, ch. 9) nor reformed hacker Kevin Mitnick's The Art of Intrusion (2005, Wiley, pp. 32-34) is guilty of such hype; both mention the FBI operation theory and the fact that, despite Maiffret's admitting to receiving the payment, he was never indicted. Neither mentions al Qaeda; both correctly say that Khalid Ibrahim was in Harkat-ul-Ansar. There's no evidence that this incident had anything to do with Mudge or Se7en.

The second claim is that the hacker testimony led to a diversion of resources and attention from counterterrorism to cybersecurity on the part of the National Infrastructure Protection Center (NIPC), citing the fact that in 2000, NIPC spent only $4.9 million on counterterrorism, which mostly went for office equipment and training. Meinel concludes that this prevented NIPC from having the resources to follow up on Phoenix FBI Special Agent Ken Williams's memo about al Qaeda members at flight schools, citing a book by Gerald Posner in support of this conclusion.

Posner's book's discussion of the Williams memo (pp. 169-173) does not support Meinel's claim. Posner makes no mention of NIPC and attributes the failure to act on the memo to the failure of FBI middle management to recognize its significance--they considered devoting resources to check out the students at flight schools "too costly and time consuming, and a few even expressed concerns that such a probe might be criticized in Congress as racial profiling."

Meinel's argument unaccountably assumes that NIPC was the agency to follow up on the memo, rather than the FBI's counterterrorism division, even though NIPC's primary focus was cybersecurity and its total annual budget was less than $20 million a year through 2000. It makes far more sense to attribute FBI intelligence failures to its own antiquated IT infrastructure, which had forty-two separate database systems that could not be searched simultaneously. Congress withheld $60 million in funding for the FBI's IT infrastructure between 1998 and 2000, because of the agency's failure to produce a credible upgrade plan. This is because FBI Director Louis Freeh was something of a technophobe, who didn't devote any resources toward developing a plan until he hired Bob Dies to begin work on the issue in July 2000. (See the "Missing Documents" chapter of Ronald Kessler's The Bureau: The Secret History of the FBI [2004, Palgrave Macmillan], and ch. 18 of Meinel's cited source, Gerald Posner's Why America Slept: The Failure to Prevent 9/11 [2003, Random House]).

Further compounding the intelligence failures was the CIA's "Alec Station" (a group devoted specifically to Osama bin Laden), which failed to supply critical information about September 11, 2001 hijackers to the FBI or the NSA, as documented in James Bamford's A Pretext for War: 9/11, Iraq, and the Abuse of America's Intelligence Agencies (2004, Doubleday, esp. ch. 9).

Finally, the idea of a major Internet attack having serious consequences is not a fantasy, as Meinel herself argued in "Code Red for the Web" in the October 2001 issue of Scientific American. In that article, she stated that risks are "far worse than not being able to make bids on eBay--potentially affecting product manufacturing and deliveries, bank transactions, telephony and more." She also points out in that article that as time goes on, the risks become greater as we become more dependent upon Internet infrastructure.

Today, there are millions of compromised end-user machines on the Internet, which are regularly accumulated in large numbers into the control of individual entities, making them into "botnets." Botnets are most frequently used as proxies for sending spam messages, but are also often used to launch distributed denial of service attacks. If such attacks were focused on particular pieces of Internet infrastructure, they could easily cause large disruptions for any companies that don't have either huge amounts of bandwidth or have their critical resources deployed in a distributed fashion with sufficient redundancy and protections to withstand large-scale attacks. Most of the attackers making use of these mechanisms today do so with impunity, with criminal prosecutions few and far between. An argument could easily be made that there are not enough resources being devoted to Internet criminal activity, rather than too many.

Jim Lippard
Phoenix, Arizona

[Meinel responded at length in the same issue, pp. 62-63.]