Being Candide About Cyber Security

One of the funnier parts of the Sony hack was all sorts of people opining why it couldn’t be North Korea when their first-hand knowledge of intelligence activities could be inscribed on an index card with room to spare. I see something similar in this recent blast for a DC event:


In 2009, 60 Minutes reported that cyber attacks had shut down the electric grid in parts of Brazil. Around the same time, the NSA’s General Keith Alexander told reporters about a destructive cyber attack at a Russian dam. And just a year ago, a flock of renegade parrots allegedly caused a power outage for thousands of Californians. One of these stories was actually true – the wild parrots in California. The other events happened, too, only faulty equipment or poor maintenance was ultimately to blame. 

I was on the 60 Minutes episode and I described exactly how I learned about Brazil, so people could make their own decision. I heard the Brazil story from a senior CIA official who went on to work at the White House. He had to go through a long clearance process to get approval to talk publicly about what happened in Brazil (at a conference). This guy is one of the nation’s real cyber experts, has been doing this stuff for years, and is still in the field.      

Who the heck are their sources? Wikileaks had a State cable with a counter-story, but it was an econ officer talking to Brazilian officials and it struck me at the time as more State client-centric reporting. 60 Minutes, by the way, hired private investigators in Brazil to check out the story and they were comfortable running with it. A couple of days after Brazilian officials denied everything, there was a giant blackout in southwest Brazil, which I attributed to Divine Retribution (it was definitely not a cyber attack). 

On the Russian incident, I talked to Alexander about it, and he said that the dam event was caused by a network problem, not a cyber-attack (essentially, Russians screwed up a remote command sequence – operator error). He said it was an example of the kind of physical damage a cyber attack could cause. Maybe somewhere else he said it was a cyber attack, but not to me or the other people present. The account I heard was a little confusing, so maybe people misheard him and thought he said cyber attack.

It’s possible that both individuals were scamming me, but why would they bother? It’s also possible that they were misled themselves, that the intelligence sources that gave them what they thought was an accurate picture of things in Brazil or Russia were wrong. We could have a discussion of why some intelligence sources are better than others, but it’s fair to note that these sources have been wrong in the past.    

People don’t trust CIA or NSA, they’re mad at them, and as with Sony, there’s been an immense loss of credibility for the IC. So a simple assertion meets almost immediate skepticism or rejection. There are powerful incentives to disagree. There is another powerful incentive in the cybersecurity discussion that we can call the Pangloss effect, where people pretend that things are okay and annoying facts that don’t fit the ideology are discarded.   

As for the parrots, cute story, don’t know anything about it. You pick what you want to believe. All is for the best….