Over at contentions, Max Boot has written skeptically about the fact that I have written skeptically about a new Defense Science Board study, which raises alarms about the Department of Defense’s vulnerability to cyber-attacks.
I had wondered, “if our adversaries are as good as we are saying they are at exploiting vulnerabilities in our technology, why are their brilliant programmers not going off on freelance missions to tap in, say, to the electronic systems of a Goldman Sachs and transferring its assets to themselves?
Max says that “the short answer is they are doing precisely that. It’s just that the public doesn’t hear much about it because the targeted institutions want to keep as quiet as possible for obvious reasons, so as not to encourage copycats and not to endanger the confidence of their clients, investors, and counterparties.”
This I very much doubt. Major financial institutions operate in a highly regulated environment and are simply not permitted to conceal massive thefts. The big investment houses that do business in the United States are required to turn over immense reams of data every quarter to the Fed; they are also under intense scrutiny by the Securities and Exchange Commission. Most of them are publicly held. It is inconceivable that some hackers could siphon a couple of hundred millions bucks from, say, Lehman Brothers, without shareholders learning of it. Even if the banks had the legal right to conceal massive thefts, I doubt they could. These kinds of institutions may not be quite as colander-like as the CIA, but if millions have been stolen from their coffers via a hacker’s keystroke, such juicy information would surely leak.
Like Max, I believe in protecting ourselves from all sorts of emerging threats, from nano-robots armed with lethal bacteria to Iranian ICBMs tipped with ayatollahs. But I don’t believe in developing a military policy based upon gropes in the dark.
One such grope is Max’s reference to a Financial Times story about a 2005 attack against the London offices of the Japanese bank, Sumitomo. That episode lends support to my view and casts skepticism on Max’s skepticism about my skepticism. A key phrase in Max’s telling of that story is that the thieves “almost managed” to carry out their plot. A somewhat different way of describing that same outcome is that they didn’t manage to carry it out.
How did Scotland Yard get wise to the cyber-thieves? They were uncovered when bells and whistles sounded after they tried to transfer funds electronically to an account in Israel. In other words, Sumitomo’s cyber-security kicked in. Perhaps Sumitomo subscribes to McAfee’s “Total Protection, 12-in-1” anti-virus and firewall software available for only $59.95 a year. Perhaps they paid much more to some smart programmers to build far fancier and more effective programs to guard against intrusion and theft. Whatever they have in place, the Pentagon needs to buy a version of it as well, and make sure that that it is kept regularly updated. It worked for Sumitomo.
Yes, there are manifold dangers in the cyber-realm. One problem flows from the fact that approximately half of the U.S. population is of below average intelligence. This helps to explain why some 1.78 million Americans have fallen victim to fake emails encouraging them to disclose personal banking information. The ensuing losses total more than $1 billion to date. But bankers and the programmers they hire are decidely not of below average intelligence. That is a major reason why electronic robberies of corporate coffers remain exceedingly rare.
This is not to say that the Pentagon should not be on guard. It should certainly be wary of purchasing software applications written by starving North Korean programmers toiling in front of Soviet-era workstations with Kalashnikovs pointed at their heads. And it also should be on guard against denial-of-service attacks of the kind Russia launched against Estonia earlier this year. But when Max cites that episode and concludes that “the U.S. is just as vulnerable to such an attack,” for the first time since I met Max a decade ago, I suddenly began to doubt his command of Estonian.
Silicon Valley is located in California not in Tallinn. Microsoft is located in Seattle not in Tartu. The GDP of Estonia last year was $26.8 billion. The market value of Lehman Brothers last year—one Fortune 500 corporation alone—was $38 billion. Is the mighty U.S. truly just as vulnerable to cyber-attack as mouse-sized Estonia? The U.S. may face dangers in the realm of malicious software and from hacking, but we also clearly face dangers from those who would exaggerate those dangers.
Max Boot is a good friend but I am afraid that there are only two ways that this bitter dispute can be settled. The first is that he and I face off in a duel. The second is that just before sundown on Sunday he should admit that he has been doing some groping in the dark. I will simultaneously make the same admission.
Before either of us reaches any firm conclusions about the Pentagon’s software problems, it would behoove us both to hear from computer experts in the financial industry—not just from those who are captives of our military-industrial-computer complex—about our real vulnerabilities and about the most cost-efficient way to address them.