Truth About Computer Security Hysteria
Déjà vu with MI2. (Gee!)Rob Rosenberger, Vmyths co-founder
Saturday, 29 May 1999
I STUMBLED ACROSS the following verbatim press release:
Mi2g, an Internet software engineering firm, has warned that all companies could be at risk of damage to or failure of their systems due to a cyber attack or a virus setting their PC clocks forward. Simulations conducted by mi2g have apparently shown that non-Y2K compliant companies in particular could suffer if their system's time is forwarded or their network's internal clocks are reset by a hacker or a virus. Their simulation even showed that Y2K compliant companies could experience failure of software licenses, passwords and user accounts if clocks are set forward. In other news, mi2g, has warned that several companies, public organisations and academic institutions in NATO member nations have received e-mails carrying viruses. The e-mails have originated from a range of Eastern European countries and usually contain highly politicised attacks against NATO in poor English or in the form of propaganda cartoons. Commercial anti-viral software has so far identified 25 different strains of virus but mi2g is warning that anti-virus software may not be effective against advanced viral forms, some of which could be of an unknown kind or could be time-triggered to activate on a future date.
An mi2g press release in late 1997 rambled about a spectacular "breakthrough [which] heralds [an] internet paradigm shift" thanks to a concept known as, um, "lounges." It looks like they started pondering computer security this year when they published an "internal memorandum" about information warfare. In mid-April, a press release implied they collected "evidence" of pro-Serb hacking against NATO countries' computers. mi2g identified attacked companies & agencies by description (not by name) in their press release.
mi2g later issued a press release about a study they conducted on "Corporate Cyber Warfare Tactics." This study "reveal[ed] a real possibility that the Millennium Bug could cause chaos at any time." I don't really understand the need for such a study at this late stage. Mortgage companies, for example, suffered from Y2K at least as far back as 1970 and credit card firms suffered a few years ago from "00" card expiration dates. (Then again, mortgage companies back then didn't need to "fear" deadly Y2K infowar viruses.)
Then I noticed an odd math formula in mi2g's press release:
According to the law of network access, the total risk is a product of the individual risks at each node of the network and is directly proportional to the square of the accessible nodes. In the case of networks that are linked to the internet, the total number of vulnerable nodes can exceed 100 Million. Each of these vulnerable nodes could be targeted by a hacker and hence the total risk of Cyber attack is of the order of 10 to the power 16 (100 Million X 100 Million) times greater than the individual risk to a single computer.
The equation shows up in another mi2g press release as well. To me, this "law of network access" says each malicious user hacks into every computer on the planet ten times each day -- or it says the worldwide hacking risk is effectively zero percent on any given day. Neither interpretation fits the available evidence, but I don't know where I made an error. (This is a "law" of network access, after all.) In my defense, I own the alternate edition of Earl Swokowski's calculus book, and I still use my old Win31 version of Mathematica, and my ancient calculator runs on solar power, and I haven't taken a course taught by the math chair since 1995. Let's move on before I embarrass myself any further.
According to a press release dated this month, "sources" told mi2g of hacks against U.S. targets in retaliation for the Chinese embassy debacle. mi2g mentioned a "classified report" about threats to U.S. government systems and confirmed the White House's website "did momentarily stop around Monday noon (GMT)." It would seem this British firm's "sources" know quite a bit about attacks on American computers.
This press release, too, mentioned mi2g's study on "Corporate Cyber Warfare Tactics." AltaVista, HotBot, and Lycos returned zero matches on the title. (I didn't find anything on the "law of network access," either.) A manual search of mi2g.com turned up only an abstract describing it as "an exhaustive investigation into the pros and cons of the internet featuring in depth analysis of software solutions and descriptions of the scenarios used in internet-related warfare."
mi2g issued a press release just last week about the threat posed by "E-BOMBS — the next phase of Cyber War." In it, they reprinted another "internal memorandum" on "The Threat from Electronic Weaponry - Unstoppable Overwhelming Linked Reactions." Its conclusion seems far-fetched: "Civilian target sectors for E-mail bomb cocktails that precipitate unstoppable overwhelming linked reactions could include power generation and distribution..."
I consider the conclusion far-fetched because, well... Did the Melissa email bomb force technicians to scram rods at any nuclear power plant? Why didn't Osama bin Laden unleash a "jihad e-had" on the Hanford reactor facility after the U.S. shoved cruise missiles down his throat?
Unstoppable overwhelming linked reactions? A mathematical formula for a law of network access? Man, I get a distinct feeling of déjà vu here. mi2g reminds me in some respects of FutureVision Group...