The most fun aspect of writing my Computerworld.com column is reading the hate mail. It gives me a look inside the minds of people who think differently. Occasionally I learn why I was off-base about something, or I get information that helps me build out my understanding of a topic. More frequently, I see how people think, or how they don’tthink.
I recently delivered a column on the current administration's abuse of the NSA for domestic-spying purposes. Unfortunately, most of my detractors never made an attempt to address the underlying facts, or to understand the argument being presented. The majority of those e-mails began with statements along the lines of "you're an idiot!" and went on to make assertions about my politics based on what they believed to have read in the column. (There were a few who claimed a minor typo compromised the entire legitimacy of the article, but anyone with much Usenet or mailing-list experience tends to dismiss the deductive abilities of that sort of correspondent.) [Typo was mine, Ira; sorry about that. I did enjoy reading those e-mails, though. -- Angela G., Ira's editor.]
Correspondents who can't frame their criticisms coherently are amusing -- until I imagine them out in the field managing IT security, and then I start to worry. You'll never be a good security manager unless you understand why your adversaries think the way they do. You don’t have to agree with them, but you need to know the logic underlying their actions.
For example, when I investigate a computer intrusion or an espionage attack, I must figure out as much as I can about the assailant's motivation and skills. Is this a script kiddie who just wants the "prestige" of breaking into a system? Or is the attempt part of an espionage operation by a foreign intelligence agency? If the criminal party is an insider, are they malicious or are they greedy -- do they want to wreak havoc, or do they want money?
Why must I understand my adversary? I need to guess the resources they might put into their crimes. I need to figure out if they are sophisticated and might be going for valuable information, or they are just randomly fishing around. I need to know if I should check whether they might have put time bombs in the system, or if they got what they were looking for and left. I need to determine if they might be if they might have put backdoors in the system, or if they might have insiders supporting the efforts.
To make these determinations, facts must precede conclusions. Only after I look at the facts in evidence can I make decisions based on an informed assumption about the class the attacker fits into. Gross generalizations, however, are often the basis for radically wrong decisions in the security space.
The facts I presented in the NSA column were pretty basic and have by now been widely reported. Instead of disagreeing materially with those facts, some of my letter-writing readers resorted to emotion, jumping to the conclusion that because I criticized the sitting Republican president, I am part of some liberal conspiracy and that my message was therefore suspect. Such readers are driven by the imagery of a dragon.
What? Yes, a dragon. In my "Zen and the Art of Cybersecurity" presentation I talk about the concepts of knights and dragons, and in the NSA article I made reference to dragons and snakes. Snakes are real creatures, and they are imminently dangerous. But in order for a knight to be considered a powerful leader, there has to be a mighty dragon from which to protect the populace. Snakes are simply too ordinary.
Throughout history, leaders both good and bad have been adept at creating "dragons." To provide but a few examples in Western culture, the Crusades were about Muslims being in control of Jerusalem, so the popes at the time created the Muslim dragons. Hitler had the Jews. Reagan had the Evil Empire. Bush started his presidency with the Axis of Evil, until of course Osama bin Laden became an issue; when he couldn’t catch him, Saddam Hussein became the dragon. When his policies are attacked, there is the Liberal Media or Activist Judges. Radical Islam has The Great Satan. Certain American commentators last year had the "War on Christmas."
In the IT world, we have those mythical hackers, who are portrayed as so powerful that the government can be forgiven for not vanquishing them. (The comment by President Clinton that "a teenager with a computer is more dangerous than a terrorist with a bomb," is one of my favorite examples of a clueless creation of a dragon.) Pumping up the fear levels associated with these "dragons" serves to rally supporters around the knight in whom they can put their faith. Sometimes, though, the dragons are only created by someone hoping to be perceived as a knight.
My article attacks my detractors’ knight -- a threatening prospect for those who'd rather believe in dragons than deal with snakes. My editors and I weren't surprised, and once again it gave me the opportunity to look inside the minds of my would-be adversaries. My adversaries, unfortunately, weren't able to manage to accomplish as much. But I can help them, if they're willing to ask themselves just one question:
Would you be defending the NSA's domestic spying if Hillary Clinton were president?
If you are arguing for one administration to be able to bypass the FISA courts, then you are arguing that any potential administration should be allowed to bypass the FISA courts. Based on the opinions expressed in those e-mails and on their reluctance to engage with the facts of the matter, I am positive (based on the overwhelming majority of the e-mails) that over 99% of my detractors would fail the "Hillary Test" -- a sign that politics and emotion, not intellect, are driving their understanding.
If they aren't drawing their conclusions from facts, what's powering my detractors? Some of them are in fact not at all interested in security issues, but in other political causes (such as the pro-life movement) that they believe are best advanced by the current administration. Any attack on the current administration is an attack on their cause. The security issues are irrelevant to them, Their feedback is purely emotional and does not address security issues, and is therefore easily dismissed.
Other people are sincerely obsessed with the threat of terrorism and cannot believe that anyone would question any program that has the stated objective of stopping terrorism. These people are ruled by fear. Their decisions are not made rationally; therefore, any decision made with regard to security is likely to be both hasty and poor. Such people can and will be manipulated by anyone who makes any reference to terrorism -- even if the entities making those references can be proven not to have their broader interests at heart.
I, on the other hand, don’t care who is in power when it comes to this issue. Not only is the NSA domestic spying case being implemented in purposeful contravention of FISA, it has yet to be proven useful and is taking resources away from real investigations. This effect on resources is true and provable regardless of the party affiliation of the president demanding it. (To that end, anyone who has actually read my books, such as Spies Among Us, or other articles would never accuse me of being liberal with regard to hunting down terrorists or similar subjects.) My opinions come from studying the facts. I look beyond sound bites and imagery and look at results.
True security isn’t about inviolable safety --a creature as rare as a dragon -- but about the management of risk. My hate mail comes from people who claim that they want security against terrorism "at any cost." They acknowledge that law enforcement will be pulled from other, more common crimes and that there will be a loss of certain expected civil liberties. Since managing risk is a balancing act, they are actually drastically decreasing their security in other aspects of their lives. They hope to protect themselves from a dragon, even if it means death by snakebite.
Security decisions based on partisan politics or fear are bad security decisions. Leaders who make decisions from these perspectives are decreasing our security. The NSA domestic spying has not been shown to be effective in reducing the risk of terrorism -- and it increases the risk of other crimes, including some that may well benefit terrorist activities. Some people, for political or emotional reasons, are willing to accept that state of affairs. That's the greatest irony of the whole issue: People who cannot reasonably address the risks posed by the terrorists have already lost to them.