Brinkmasterj's Security Blog

“Microsoft has vast resources, literally billions of dollars in cash, or liquid assets reserves. Microsoft is an incredibly successful empire built on the premise of market dominance with low-quality goods.”

Who wrote those lines? Steve Jobs? Linux inventor Linus Torvalds? Ralph Nader? No, the author is former White House adviser Richard A. Clarke in his new book, Cyber War: The Next Threat to National Security and What to Do About It.

It has been a few months since Clarke’s latest opus appeared, but it’s still making quite a splash. Clarke, after all, was the guy who repeatedly warned the White House about Al Qaeda before September 11, 2001. As a result, he has quickly become the most publicly identifiable person on the subject.

“While it may appear to give America some sort of advantage,” Cyber War warns, “in fact cyber war places this country at greater jeopardy than it does any other nation.” The enormous dependence of our financial and energy networks on the ‘Net open us up to potentially devastating online attacks. “It is the public, the civilian population of the United States and the publicly owned corporations that run our key national systems, that are likely to suffer in a cyber war.”

Large scale movement

Clarke takes readers through various famous cyberwar incidents, most notably the Distributed Denial of Service (DDoS) attack on Estonia back in 2007, but how bad could such events really get?

The hypothetical answer is on page 64. There Clarke deputizes you as Assistant to the President for Homeland Security and takes you through a scenario of doom. The National Security Agency has just sent a critical alert to your BlackBerry: “Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure.”

But by the time you get your office, one of the DoD’s main networks has already crashed; computer system failures have caused huge refinery fires around the country; the Federal Aviation Administration’s air traffic control center in Virginia is collapsing, and the hits just keep coming.

“The Chairman of the Fed just called,” the Secretary of the Treasury tells you. “Their data centers and their backups have had some sort of major disaster. They have lost all their data.” Power blackouts are sweeping the country. Thousands of people have already died. “There is more going on,” Clarke narrates, “but the people who should be reporting to you can’t get through.”

File under fiction

Clarke’s book has gotten tons of play with this sort of stuff—check out, for example, the scary interview he did with Terry Gross on NPR’s Fresh Air. But little of it impresses his critics.

“File under fiction,” begins Ryan Siegel’s review over at Wired. “Like in real war, truth is the first casualty.” Siegel warns that the tome is based on hypothetical scenarios (see above) or alarmist and inaccurate rehashings of various cyber emergencies. Plus, we note the book has no references or index.

Ditto, says Evgeny Morozov in the Wall Street Journal. “We do not want to sleepwalk into a cyber-Katrina,” he writes, “but neither do we want to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors.” Clarke is one of four partners in the Good Harbor Consulting security firm.

But even his detractors acknowledge that some of Clarke’s broad arguments make sense—most notably his warning that the Pentagon can’t assume that the energy and financial sectors will effectively defend themselves from cyber attacks.

“At the beginning of the age of cyber war,” Clarke ruefully notes, “the US government is telling the population and industry to defend themselves.”

Money talks

Why has the national response to this problem been so slow? Lack of consensus on what to do and fear of the “R-word”—government regulation, Clarke contends. Then there’s Reason Number Five on his list, which basically boils down to “Microsoft.”

“Some people like things the way they are,” Clarke obliquely observes. “Some of those people have bought access.” Microsoft, he notes, is a prominent member of OpenSecrets.org’s “Heavy Hitters” political donor list. Most of the list’s stars are trade associations. “Microsoft is one of only seven companies that make the cut.”

The software giant’s largesse has shifted from Republicans back in the Clinton antitrust days to Obama, he continues, but the agenda is always clear: “Don’t regulate security in the software industry, don’t let the Pentagon stop using our software no matter how many security flaws it has, and don’t say anything about software production overseas or deals with China.”

Clarke tries to be fair. He notes that Microsoft didn’t originally intend its software for critical networks. But even his efforts at fairness are unflattering. Microsoft’s original goal “was to get the product out the door and at a low cost of production,” he explains. “It did not originally see any point to investing in the kind of rigorous quality assurance and quality control process that NASA insisted on for the software used in human space-flight systems.”

But people brought in Microsoft programs for critical systems anyway. “They were, after all, much cheaper than custom-built applications.” And when the government launched its Commercial Off-the-Shelf program (COTS) to cut expenses, Microsoft software migrated to military networks. These kind of cost cutting reforms “brought to the Pentagon all the same bugs and vulnerabilities that exist on your own computer,” Clarke writes.

Floating i-brick

The former White House advisor cites the 1997 USS Yorktown incident as a consequence. The Ticonderoga-class ship’s whole operational network was retrofitted with Windows NT. “When the Windows system crashed, as Windows often does, the cruiser became a floating i-brick, dead in the water.”

In response to this “and a legion of other failures,” the government began looking into the Linux operating system. The Pentagon could “slice and dice” this open source software, pick and choose the components it needed, and more easily eliminate bugs.

Clarke says that, in response:

[Microsoft] went on the warpath against Linux to slow the adoption of it by government committees, including by Bill Gates. Nevertheless, because there were government agencies using Linux, I asked NSA to do an assessment of it. In a move that startled the open-source community, NSA joined that community by publicly offering fixes to the Linux operating system that would improve its security. Microsoft gave me the very clear impression that if the US government promoted Linux, Microsoft would stop cooperating with the US government. While that did not faze me, it may have had an effect on others. Microsoft’s software is still being bought by most federal agencies, even though Linux is free.

The company took a similarly hard line towards the banking and financial industry, Cyber War says, rebuffing access requests from security specialists for Microsoft code. When banks threatened to use Linux, Microsoft urged them to wait for its next operating system—Vista.

“Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks,” Clarke confides. Sure enough, when Apple and Linux began to offer serious competition, Microsoft upgraded quality in recent years. But what the company did first was to lobby against higher government security standards.

“Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems,” concludes Clarke’s section on the software firm. “They are one of several dominant companies in the cyber industry for whom life is good right now and change may be bad.”

Required to do so

Given the considerable amount of criticism Cyber War has come in for, we’re not endorsing Clarke’s nightmare version of Microsoft’s history. And we’re more than a little nervous about some of his prescriptions for “change.” These include government rules ordering the big ISPs “to engage in deep-packet inspection for malware.”

Although these provisions should include high standards for privacy, “the ISPs must be given the legal protection necessary” so they won’t fear being sued for stopping malware, viruses, DDOS attacks, and worms. “Indeed, they must be required to do so by new regulations,” Clarke insists.

But many of the reviews and notices of Cyber War gloss over one of the principal observations of the book: the privatization of government over the last two decades may have saved cash but compromised the government’s ability to defend crucial portions of America from big and small attacks on the ‘Net. That’s a concern that bears further discussion, whatever you think of Clarke’s scary cyber stories.