US Unable To Win a Cyber War 327
An anonymous reader writes "The inability to deflect even a simulated cyber attack or mitigate its effects shown in an exercise that took place some six days ago at Washington's Mandarin Oriental Hotel doesn't bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. 'We're the most vulnerable. We're the most connected. We have the most to lose,' he stated. Three years ago, McConnell referred to cybersecurity as the 'soft underbelly of this country' and it's clear that he thinks things haven't changed much since then."
Duh. (Score:3, Interesting)
Tell us something we don't know. When script kiddies can invade government networks, I'd say that we are pretty much screwed if an all-out digital conflict were to happen.
Re:Stupidity of leadership... (Score:5, Interesting)
What they don't understand is that it isn't going to be the government or the military that responds to a real cyber attack, it's going to be a nation wide army of several hundred thousand IT admins working 70 hour weeks to keep their companies secure and operational. Once solutions are found they'll be posted to the web and disseminated faster than the new attacks can be devised. In short, cyberwarfare won't work for the exact same reasons that censorship won't work, there's too many people working against the attackers who can communicate too quickly and too effectively.
Or, to put it another way, http://xkcd.com/705 [xkcd.com]
Comment removed (Score:3, Interesting)
Why is infrastructure connected? (Score:5, Interesting)
Told ya! (Score:1, Interesting)
There once was a time when we had the best, cutting edge people in the security biz. Yes, this was a long time ago, when we had most of the technology too.
Then they passed various laws, which had good intentions. But the negative side effects killed any curiousity that new students had in exploring this field. Businesses helped insure this death of talent, by threatening certain schools by not hiring students who took classes that the Businesses found threatening.
One could see the results a mile off. We have a whole generation who is ignorant and unprepared to fight such a war. Many of the more incompetent of them are even under the delusion that they are really hot stuff. But incompetent people are blind to their own incompetence, while the bad guys have free reign to test their skills every day.
If you want a chance at some hope to defend this nation, you need to free the students to explore and learn. Until that happens, yoo'll always be owned by the bad guys. There's not a chance in the world of this happening yet though. The entire rotten system has to come crashing down first. The good news is that with the $700 Trillion ponzi scheme of derivatives, this is about to happen via the Global Financial Crisis.
Of course we can't win a Cyber war (Score:2, Interesting)
For the same reason we can't win a space war, we have the most to lose. The more systems you have dependent on an asset, the more vulnerable you become in that asset.
Note however, that doesn't mean you are in a weaker position, an asset is still an asset.
Convenience isn't just convenient, it is time saved you can use to do other things. We just need to start waking up to what is a security risk and what isn't. What we need to protect and what we don't and finally drills on what to do if the primary system fails.
Re:Stupidity of leadership... (Score:5, Interesting)
You fail to realize that it is not "one network cable" that connects us to (lets say China). The robustness of the internet means that every route to China must be cut in order to stop the attack.
That means England has to cut their ties with China. And France. And so on and so forth until everyone that North America Can access no longer has access to China. If we leave the pipes open to India, and India is still open to China, thats a route through to the US. Thus we resort to IP Blocking, but then spoofing and Proxies comes into play - making things more complex.
The other solution to stop the attack, is to disconnect all the network cables that access any other country. Leaving you with an internet that spans North America Alone.
Personally, if it ever comes to a cyber war, I think it will boil down into a World War kind of thing. One side will cut ties and allegiances will be made. The West will be on their own private network and the rest of the world on theirs, creating two out of sync "Internets".
A comment in The Atlantic on cluelessness (Score:5, Interesting)
I wrote this to The Atlantic, which is a "think piece" magazine read by some decision makers in Washington.
After seeing that show, I was struck by the cluelessness of the panelists. I don't expect them to understand how networks really work, but they didn't even understand the organizations involved. Key organizations in a crisis like that would be the North American Network Operators Group and the North American Electric Reliability Council, along with the US Computer Emergency Response Team. The participants didn't know that, and they didn't have staffers to tell them.
The panelists were obsessing over whether they had enough authority to do something, while totally lacking any idea of what to do.
There are a few reasonable steps they could have taken at their level.
Having taken the initial steps, the next priority is bringing the electrical grid back up. If substations were damaged, it may be necessary to move some very large transformers around, and possibly to import them from other countries. Military assets (i.e. big transport aircraft) should be made available to help with that.
In parallel with this, the intelligence community and DoD can work on who's behind the attack. But that's not going to be dealt with in the first hours. Don't obsess on hitting back.
Goes without saying... (Score:4, Interesting)
The US has been and will be stuck back in WWII thinking until it's too late. When you invest in war ships, tanks and fighter planes you have something "show" people. It's pretty hard to demonstrate what you got for the money when it comes to the security of intangible things. The installation of a firewall just doesn't make one go "oooh and ahhh" like the vaporized city and mushroom cloud from a 10 mega-ton ICBM. Even a security fence and a camera or two around a municipal water supply isn't very "impressive" compared to the demonstration of raw power an F-22 can unleash.
Worse still is when people do play "tickle-tickle" with our soft underbelly the response tends to be blowing up FedEx packages, taking off our shoes, having dogs sniff our crotch, and groping pregnant ladies.
Re:Why is infrastructure connected? (Score:5, Interesting)
Why are things like power plants, banks, or telcos directly connected to the internet? You'd think they could afford a completely separate network.
A short summary of the problem:
Obviously no one manipulates the reactor control rods over the internet, outsourced to India. Although there is probably an intense desire by the MBAs to do so. Obviously the marketing guys have their PR website on the internet.
The problem is the devices in between. At a past employer, they had a customer whom had to cancel aircraft flights when their net access was down. They had to submit some form or list to the FAA or DHS or big brother or whatever for each flight, and they had a backup plan to submit the info over telephones/cellphones, but not the personnel to handle the load of all flights on backup, so the least essential flight would be canceled. Sales gave them an elaborate SLA.
That is how you shut down a nuclear plant using the internet. They can't email incident reports to the N.R.C., so they have to shut down for "safeties sake". Its not that its technically dangerous, but intentionally operating without N.R.C. oversight might be a $10M/hour fine, so they aren't gonna do it. Or maybe the plant guards won't get paid unless their internet accessible timeclock application works, they won't work for free, and the plant is not allowed to work without guards. Or the VOIP customer service in India is inaccessible and for safety reasons you can't supply power with no way to learn of lines down in the street and/or dispatch the service techs, so off goes the power to the city. To save money, city water SCADA system is now on the internet instead of a private net, and when the inet goes down, no water, no water means the plant shuts off. Thats how you use the internet to shut off a nuclear power plant, not some B.S. about remotely adjusting the control rods and turning pumps on and off.
What was almost certainly not discussed during the govt simulation was the need to remove useless regulations, because that gets the proletariat wondering if those regulations are really required under normal circumstances...
Change the system... (Score:4, Interesting)
Unfortunately for the U.S., the problem started decades ago. The downfall began when the corporations convinced politicians to make stronger and stronger laws to punish those who hack their system or product. This led to the idea that instead of fixing any security issues, it was easier and cheaper to try to punish those who hacked. Fast forward to today, and now theres the more laws, EUA's, DMCA's, etc.
If you discover exploits and try to go public with it. The first thing the targeted company might try to do to squash the "exploit" is either litigate or file criminal charges.
I'm not saying that there shouldn't be laws against hacking into systems, but the current environment doesn't bode well for making these system any more secure. It would be nice if there was some kind of "whistle blower" protection for those who discover exploits and maybe a company or government agency that you could disclose these exploits to in order to receive this protection.
Maybe there could be laws inacted that require a company to fix the exploit within a certain amount of time once it has been reported or something. If not they could either be fined or held accountable if any sensitive data is breached. Not sure, but something needs to be changed.
A cyberwar will be used as a lead up to an attack (Score:5, Interesting)
A "Cyberwar" will be used as part of a campaign for a larger objective. When (not if) China chooses to "annex" Taiwan, the attack would likely go as follows:
US power plants go down because of SCADA systems attached available to anyone who finds them. Other embedded systems will get torn apart, from HVAC systems to traffic light control, paralyzing cities. This will happen all at once, both on CONUS, but on ports the US uses abroad, and in Taiwan as well. As a farewell gift, routers and such are zapped of all configuration to make it harder to reconnect and get infrastructure working, especially core wireless items, such as the infrastructure between towers. Even worse, most companies and organizations have no backup infrastructure in place so a simple dd if=/dev/zero of=/dev/sda will cause permanent data loss. Or random corruption is done to archive records, making them unusable for criminal or civil proceedings down the line.
By the time the mess is cleaned up (and with embedded systems, there *will* be physical damage, such as safety valves jammed shut, causing BLEVEs), the Red Guard will have firmly garrisoned the island nation and will be telling the US that an attack there will result in a nuclear exchange.
Another possibility will be an attack against the Falkland Islands by Argentina. As of recently, that nation has been wanting to take British oil interests in the area, even trying to attack oil rigs. One can expect the UK to be hit by a coordinated attack on critical systems, as well as its allies. Then the next thing would be Argentina with help from Chavez (who is in dire need of a military victory against Europe and the US to bolster his credibility) will be invading the Falkland Islands. No, the islands may not be a major strategic issue, but they have a lot of oil underneath, and would love to attack the UK's oil interests and turn the oil derricks into torches.
Of course, there is Russia. America's grid goes down, and Russia pushes into Western interests without a shot being fired. Since most of Europe went "green" and ditched their national security for reliance on Russian gas, expect no help from France or Germany, as neither country wants its population to freeze to death, and both countries like their cities to have their lights on. It wouldn't even take a cyberattack to make Europe kowtow to Russia... just the threat of turning off the natural gas pipes.
Of course, the Middle East comes to mind. The one oil pipeline that Russia hasn't seized yet that goes through Georgia. Georgian computers go down, American grid suffers, Russian tanks plow into Georgia proper calling it a police action, depose the government and set up a puppet system. Combine that with a military action to grab control of the Persian Gulf, and Russia now has complete control of Europe's and America's oil supplies. Game. Point. Match. Checkmate.
The problem? A good number of American companies don't give a shit about security. Since security has no ROI, little but lip service is paid in that direction. They expect that they can hire an army of consultants to repair any breach 24/7, so don't do anything except put some random policies in place. Of course, come a military strike against American interests, these companies will be having their systems used as staging points and proxies to make it virtually impossible to find out who disabled a cooling system at a nuke plant, causing a SCRAM across all reactors and plunging the grid into a blackout.
When a "cyber attack" that is worth the name happens, the lights will go off, then the ships will sail into some country's harbor, and the troops will be moving in. It won't be done just for giggles by some foreign nation, it will be done in concert with another brutal offensive.
Re:A comment in The Atlantic on cluelessness (Score:5, Interesting)
Yes, the real responders will be CERT and NANOG. I'd be willing to bet that some fair percentage of the people with their hands on the keyboards in NANOG would be able to fire up their HAM sets if the backbones got so totally overwhelmed that nothing could get through. I KNOW they don't care if their fucking cell phones don't work. They have desks with three screens and a keyboard and a hardwired phone on them. What happens to their daughters' iPhones in no way interferes with their jobs.
But I have a hard time imagining any purely digital situation that would take down the backbones. Script kiddies have been running DDOS botnets for a decade now. The backbones have seen it all, done it all, and when you get right down to it, the trans-Atlantic and trans-Pacific links aren't big enough to saturate the continental backbone. We have a LOT more fiber in the ground than we do underwater.
The only situation that could take down the backbone is an extended, multi-state power outage, and guess what: we've been there and done that. The northeast power outage was our worst case scenario made manifest. Those of us in the Midwest knew about it, but barely even noticed it in our day to day lives. Our grid stayed up, our phones still worked, and business went on as usual for most of us. Those who needed to talk to eastern seaboard customers/employers/whatever had a quiet few days, that's all.
Sure, it looked like the participants were clueless. And I know the old saw about never attributing to malice what can be explained by incompetence. But I've seen the names of the participants, and I know for an absolute fact that malignance is one of their primary motivations. They seek power, at all costs, and they will do anything to get it, including lie, cheat, steal, and manipulate anything and everything they can affect. I think they do have the staffers who can tell them about NANOG and CERT and NERC and they don't like the fact that those organizations exist without their explicit control over everything they do.
They want the authority, in law, to order NANOG around, on any pretext. They want the authority, in law, to disband CERT if they feel like it. They want to exert the full force of the US Government to make all these 'maverick' network operators stand and salute when they say so, or lose their jobs. They've heard how the Internet views censorship as damage and routes around it and they want control of the people who control the routers. They want the power and they want the money, and they're going to do their damndest to stampede their herd of useful idiots into giving it all to them. They are sociopaths and psychotics and we can only hope they die of old age before the country falls headlong into a French Revolution of purges, pogroms, and random bloodletting.
Re:Stupidity of leadership... (Score:5, Interesting)
even nationalizing the power companies.
I'm all for that, cyberwar or no. Maybe not have the power companies run by the US government, but by local or county governments. My gas company Amerin is a private utility that is a power company as well in most of the state, my electric comppany is CWLP, owned and operated by the city. The difference between these two utilities is astounding.
CWLP has excellent customer service, the lowest rates and the highest uptime of any electric utility in the state, and makes a tidy profit for the city as well, offsetting taxes that would otherwise have to be paid. My gas company, otoh, makes Comcast look good. The reason is simple: if CWLP's customer service goes bad, if the power is out much, or if the rates go up too much the Mayor loses his job.
Amerin's customer service is abysmal, but what is one to do? Many local folks have gone all-electric because of their shodddiness. There isn't even a local office to pay the bill, you have to snail mail it or go to a currency exchange and pay an extra dollar. It's not like you can go to the other gas company down the street, and propane is out of the question. Because of this, they are not beholden to anyone but the stockholders.
The free market works well when there is a free market, but there is no free market when it comes to utilities or any other natural monopoly. I'd like to see all utilities taken over by local or county governments. The customer has at least some say then.
Why Would Geeks Want to Fight a Cyber War Anyway? (Score:1, Interesting)
Isn't all that flag waving, jingoist nonesense for the jocks and the more physically aggressive types in society? Why would those marginalised to their bedrooms and basements for much of their formative years feel any obligation or urge to fight for so ethereal a concept as a nation? What is a nation but a line drawn in the sand to divide one tax paying group of people from another tax paying group of people? Aren't there more interesting things to do like watching Battlestar Gallactica or playing Bioshock 2?
Re:Why is infrastructure connected? (Score:2, Interesting)
This is getting ridiculous.
Is every problem in the world caused by government bureaucracy?
Here is the basic outline of this argument
Step 1) Drop an anecdote about some way a government agency was an inconvenience.
Step 2) Assume that every government program is equally inconveniencing.
Step 3) Hyperbolic conjectures about various ways the government is doing everything wrong and basically destroying everything.
Oh, and on a side note, this also proves how terrible govt stimulus is, clearly it should have solved the US cyber weaknesses as a part of the completely unrelated goal of fixing the economy.
How many "accidental" undersea cable cuts in 2008? (Score:3, Interesting)
How many "accidental" undersea cable cuts in 2008? ...just saying...
-- Terry
Re:A cyberwar will be used as a lead up to an atta (Score:2, Interesting)
Re:Stupidity of leadership... (Score:1, Interesting)
If your country is blocking Anich, though, that does limit many things. The hacker in Anich can't directly attack your government box, nor can he directly connect to a hacked privately owned box in your country to then use to attack your government box. The hacker in Anich can't directly access *any* box through a route that goes through your country.
Now imagine that Anich has started a cyberwar against your country. Your country *and all its allies* block connections from Anich *and all Anich's allies*. Hackers in Anich now have to figure out a path through the few remaining countries that aren't blocking them. This may actually be impossible - perhaps every country bordering Anich is blocking Anich, which is a reasonable thing for them to do, considering they don't want their computers to be a network battleground for the attacks and counterattacks going on.
This doesn't make all activity stop - Anich could have agents physically inside other countries - but it stops Anich from using its planned strategy of utilizing the army of nationalist college students within its borders and claiming the government of Anich had nothing to do with it.
Re:A comment in The Atlantic on cluelessness (Score:3, Interesting)
The children are often different, and the grandchildren, if the money stays around that long, can be very different. The children of sociopathic royalty are often dilettantes and ne'er-do-wells, or uninterested in power for power's sake. I don't see Chelsea Clinton ever being effective in politics. Nearly all of the Kennedys active in politics were the same generation, with a few exceptions in the current generation, and their children are so numerous and so obscure that even the obsessives at Wikipedia can't be bothered to name them all, let alone follow their careers. Bush Jr. is basically a dilettante and what little I've heard about his daughters puts them in the same (political) category as Chelsea Clinton. Dick Cheney has two daughters, neither of them active in politics, and one of whom is unelectable and unappointable because she's gay.
Americans really aren't all that good at political dynasties.
Now corporate dynasties, that's a whole other thing... Paris Hilton is a notable exception in being a totally incompetent heir. Budweiser, Hunt, Carnegie, Rockefeller heirs all quietly control billions, along with many others whose names you rarely hear. There may be trouble, there.