'60 Minutes' BIOS Plot May Be NSA Invention
"News," an old journalistic adage goes, "is what someone, somewhere wants to suppress. All the rest is publicity."
The two-segment piece CBS News' "60 Minutes" aired last night (Dec. 15) on the National Security Agency (NSA) was terrific publicity. Half a dozen NSA officials, including Director Gen. Keith Alexander, calmly explained how the NSA protects America from terrorists without treading harshly on Americans' privacy. Not a single critic of the agency was interviewed, or even named.
And then there was this scoop: The NSA stopped a "catastrophic" Chinese scheme, called the "BIOS plot," to "destroy every computer in the world."
"Think about the impact of that across the entire globe," NSA Director of the Information Assurance Directorate Debora A. Plunkett told CBS reporter John Miller. "It could literally take down the U.S. economy."
That was news to many security experts, who had never before heard of the "BIOS plot," even though "60 Minutes" asserted that "computer manufacturers" had worked with the NSA "to close this vulnerability." Such an undertaking would have been well known in the information-security community.
Plunkett gave only the barest outline of the supposed Communist scheme, not specifying when and how the plot was uncovered and foiled. CBS' confirmation of the plot's existence and provenance relied on unnamed "cybersecurity experts briefed on the operation" who "told us it was China."
Security experts aren't buying it.
How BIOS malware works
"There is probably some real event behind this, but it's hard to tell, because we don't have any details," wrote Robert Graham, CEO of Atlanta penetration-testing firm Errata Security, on his blog last night. "It's completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm."
It's technically possible to craft the kind of attack Plunkett described — a fake firmware update that infects the Basic Input/Output System (BIOS), a small piece of software built into the motherboards of most personal computers. (Macs and some recent Windows machines don't use BIOS.)
"So," Miller said during the interview, "this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do."
"That's right," replied Plunkett.
"And basically turned it into a cinderblock," Miller said.
"A brick," Plunkett said, using the common techie term for a completely nonfunctional piece of hardware.
BIOS malware has been around for at least 15 years, and it wouldn't take much coding to corrupt the BIOS of an older motherboard so that it couldn't boot. (To repair the computer, the BIOS chip could be replaced or reprogrammed.) Newer BIOSes have security safeguards to prevent such attacks — but again, none of that is news.
"There's no special detail here," Graham wrote. "All [Plunkett and the NSA] are doing is repeating what Wikipedia says about BIOS, acting as techie talk layered onto the discussion to make it believable, much like how 'Star Trek' episodes talk about warp cores and Jefferies tubes."
"Stripped of techie talk," Graham said, "this passage simply says 'The NSA foiled a major plot, trust us.'"
Why China wouldn't destroy American computers
Other security experts questioned why China would want to destroy American computers at all, especially considering how interlinked the two countries' economies are, and how keeping infected computers running is much more advantageous for cyberspies.
"The problem I have with #60Minutes NSA story is that the BIOS story isn't believable," tweeted Graham's colleague, Errata Chief Technology Officer David Maynor. "If an enemy developed that attack, why brick the boxes?"
"I don't think that China, or anyone else on this planet, would damage the economy of the USA, for the simple reason that they would ultimately do damage to themselves (and their country/employer)," Avira researcher Sorin Mustaca told the Softpedia blog.
"I would fully understand if a government would try to control the computers in the U.S. (especially those that are critical)," Mustaca said, "but I don't understand why would anyone would want to destroy them."
In a behind-the-scenes video clip posted online, CBS News explained that the NSA approached the news organization about doing the piece, and that the agency reviewed the story before it was aired.
It's not clear whether Miller was hand-selected by the NSA to report the story, but he's not a regular "60 Minutes" correspondent. Miller has worked extensively as both a reporter — he traveled to Afghanistan in 1998 to interview Osama bin Laden — and also as a government official.
Miller has worked for the New York Police Department, the Los Angeles Police Department, the FBI and the Office of the Director of National Intelligence. He is reportedly being considered for another top job at the New York Police Department.
To get another side of the NSA story, read Ryan Lizza's long but very informative piece in this week's New Yorker magazine about the NSA. It's all online for free.
Lizza himself had some words after watching "60 Minutes" last night.
"Wow, the 60 Minutes piece about the NSA was just embarrassing," tweeted Lizza. "Kudos to the NSA communications staff. You guys should get a raise."