William Safire, of the New York Times, recently wrote an article (http://www.nytimes.com/2004/02/02/opinion/02SAFI.html also cached here) about "The Farewell Dossier." (See also on CIA's unclassified site: http://www.cia.gov/csi/studies/96unclass/farewell.htm) In it, he describes a clandestine operation that mooted a number of Soviet efforts to steal American industrial technology. It's kind of scary stuff, and I encourage you to read it. A key extract of the article from CIA's site reads:
American industry helped in the preparation of items to be "marketed" to Line X. Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory. The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft.(4) The Soviet Space Shuttle was a rejected NASA design.(5) When Casey told President Reagan of the undertaking, the latter was enthusiastic. In time, the project proved to be a model of interagency cooperation, with the FBI handling domestic requirements and CIA responsible for overseas operations. The program had great success, and it was never detected.
Safire's article goes a step further and asserts that:
The technology topping the Soviets' wish list was for computer control systems to automate the operation of the new trans-Siberian gas pipeline. When we turned down their overt purchase order, the K.G.B. sent a covert agent into a Canadian company to steal the software; tipped off by farewell, we added what geeks call a "Trojan Horse" to the pirated product.
"The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire," writes Reed, "to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space."
I'm recognized in the computer security community as a detractor of the concept of "information warfare" - mostly because I think that what InfoWar proponents describe as a new form of warfare is really just intelligence operations applied to new technology. In other words, it's not rocket science, but it may be applied to rocket science, as we see from the CIA article. This is scary and powerful stuff, when you realize that a piece of computer software was deliberately jiggered to blow some unsuspecting oilmen to kingdom come. The geopolitical reasons behind it (they didn't call it a Cold "War" for nothing) were compelling, but the implications are vast.
Right now, on one hand, we're spending billions of dollars for this Myth of Homeland Security in the hopes of protecting against terrorists, rogue states, and ideological nutcases. But, on the other hand, corporate America is lining the pockets of executives by driving costs down (and their stock options up) by outsourcing virtually every aspect of non-creative information technology to 3rd world nations. We've all heard of the massive code-shops in India, where analysts estimate that 60% of US code is being written today, and as much as 90% will be written by the end of the next 10 years. Do you see the razor blade hidden in the apple? I'm somewhat concerned at the idea of the economic effects of this activity, but I'm terrified by the national security implications. Let's talk homeland security, shall we?
Last year I got a call from an investment banker in Singapore, who was looking for a programming expert who could do "due diligence" on some software that one of their clients was considering acquiring. The acquirer was a Canadian company, the seller a US company, and the software had been written in Bangalore. After some discussion, I was informed that the software regarded embedded systems and microprocessor controls, etc - specifically, the software was guidance software "of the type" used in the Joint Direct Attack Munition (JDAM) - a glide-bomb that uses GPS to home in on its target. We all saw JDAMs in action during the most recent gulf war, and it was a JDAM that accidentally (?) hit the Chinese Embassy during the NATO intervention in Kosovo and bombing of Serbo-Croatia. As someone concerned with national security, I can only ask, "What the F!*K?" Sure, once you have the concept of a JDAM and a GPS chip and some actuators and some software, you can build your own pretty quickly. But why roll out the red carpet?
I'm not a paranoid and I'm not a John Bircher but I sometimes wonder if we're worried about the wrong things. On one hand we're spending billions of dollars against a nebulous threat when on the other we're spending billions of dollars to put ourselves in grave and very real danger. Remember the pipeline explosion? How about a JDAM that doesn't fly right if the target is within GPS coordinates approximating your national borders? That's just a simple paranoid fantasy - the reality could be a lot worse. I don't know. We don't know. In fact, we can't know - if we were to try to audit all those jillions of lines of code we're buying from India, we'd need so many talented programmers it'd be cheaper to write it ourselves in the first place.
Am I becoming a convert to the notion of Information Warfare? I don't think so. You don't need to worry about InfoWar if you're potentially facing a good old-fashioned ass-whupping. When I was a kid I remember I read a science fiction story about a race that was very technologically advanced but were extreme pacifists. They sold weapons to anyone who wanted them - cheap, good, and mighty powerful weapons. Nobody ever attacked them because they assumed that the species actually was holding back all the really good stuff for their own use. Until one day, someone discovered that, in fact, they had been selling all these weapons as a way of population-controlling the other species in the galaxy. So - the other races attacked in force. And every weapon they had promptly blew up.
When pundits talk about the "electronic Pearl Harbor" it's not going to look like hackers taking down Wall Street and our cell phone networks. It's going to look like the Farewell Dossier. And I see no sign that we're doing anything but hastening down the path of maximum vulnerability in the name of short-term profits and pumped-up balance sheets that boost executive bonuses. It'd be a shame to see one of history's most interesting experiments in governance fail because of short-sightedness and corporate greed.
This is a difficult topic for me to even write about, since outsourcing of US high tech jobs to India has become an election year issue and I'm a former software engineer. I suspect it's easy to dismiss my thoughts as just sour grapes from a protectionist. In fact, I hope I am completely wrong and that history shows me to be a fool. I really do.
mjr.
Morrisdale, PA. Feb 1, 2004