Are US Computer Networks A 'Key Battlefield' in any Future Conflict with China? (msn.com) 70
In a potential U.S.-China conflict, cyberattackers are military weapons. That's the thrust of a new article from the Wall Street Journal:
The message from President Biden's national security adviser was startling. Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will, Jake Sullivan told telecommunications and technology executives at a secret meeting at the White House in the fall of 2023, according to people familiar with it. The attack could threaten lives, and the government needed the companies' help to root out the intruders.
What no one at the briefing knew, including Sullivan: China's hackers were already working their way deep inside U.S. telecom networks, too. The two massive hacking operations have upended the West's understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors — once seen as the cyber equivalent of noisy, drunken burglars. China's hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons. U.S. computer networks are a "key battlefield in any future conflict" with China, said Brandon Wales, a former top U.S. cybersecurity official at the Department of Homeland Security, who closely tracked China's hacking operations against American infrastructure. He said prepositioning and intelligence collection by the hackers "are designed to ensure they prevail by keeping the U.S. from projecting power, and inducing chaos at home."
As China increasingly threatens Taiwan, working toward what Western intelligence officials see as a target of being ready to invade by 2027, the U.S. could be pulled into the fray as the island's most important backer... Top U.S. officials in both parties have warned that China is the greatest danger to American security.
In the infrastructure attacks, which began at least as early as 2019 and are still taking place, hackers connected to China's military embedded themselves in arenas that spies usually ignored, including a water utility in Hawaii, a port in Houston and an oil-and-gas processing facility. Investigators, both at the Federal Bureau of Investigation and in the private sector, found the hackers lurked, sometimes for years, periodically testing access. At a regional airport, investigators found the hackers had secured access, and then returned every six months to make sure they could still get in. Hackers spent at least nine months in the network of a water-treatment system, moving into an adjacent server to study the operations of the plant. At a utility in Los Angeles, the hackers searched for material about how the utility would respond in the event of an emergency or crisis. The precise location and other details of the infrastructure victims are closely guarded secrets, and couldn't be fully determined.
American security officials said they believe the infrastructure intrusions — carried out by a group dubbed Volt Typhoon — are at least in part aimed at disrupting Pacific military supply lines and otherwise impeding America's ability to respond to a future conflict with China, including over a potential invasion of Taiwan... The focus on Guam and West Coast targets suggested to many senior national-security officials across several Biden administration agencies that the hackers were focused on Taiwan, and doing everything they could to slow a U.S. response in a potential Chinese invasion, buying Beijing precious days to complete a takeover even before U.S. support could arrive.
The telecom breachers "were also able to swipe from Verizon and AT&T a list of individuals the U.S. government was surveilling in recent months under court order, which included suspected Chinese agents. The intruders used known software flaws that had been publicly warned about but hadn't been patched."
And ultimately nine U.S. telecoms were breached, according to America's deputy national security adviser for cybersecurity — including what appears to have been a preventable breach at AT&T (according to "one personal familiar with the matter"): [T]hey took control of a high-level network management account that wasn't protected by multifactor authentication, a basic safeguard. That granted them access to more than 100,000 routers from which they could further their attack — a serious lapse that may have allowed the hackers to copy traffic back to China and delete their own digital tracks.
The details of the various breaches are stunning: Chinese hackers gained a foothold in the digital underpinnings of one of America's largest ports in just 31 seconds. At the Port of Houston, an intruder acting like an engineer from one of the port's software vendors entered a server designed to let employees reset their passwords from home. The hackers managed to download an encrypted set of passwords from all the port's staff before the port recognized the threat and cut off the password server from its network...
What no one at the briefing knew, including Sullivan: China's hackers were already working their way deep inside U.S. telecom networks, too. The two massive hacking operations have upended the West's understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors — once seen as the cyber equivalent of noisy, drunken burglars. China's hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons. U.S. computer networks are a "key battlefield in any future conflict" with China, said Brandon Wales, a former top U.S. cybersecurity official at the Department of Homeland Security, who closely tracked China's hacking operations against American infrastructure. He said prepositioning and intelligence collection by the hackers "are designed to ensure they prevail by keeping the U.S. from projecting power, and inducing chaos at home."
As China increasingly threatens Taiwan, working toward what Western intelligence officials see as a target of being ready to invade by 2027, the U.S. could be pulled into the fray as the island's most important backer... Top U.S. officials in both parties have warned that China is the greatest danger to American security.
In the infrastructure attacks, which began at least as early as 2019 and are still taking place, hackers connected to China's military embedded themselves in arenas that spies usually ignored, including a water utility in Hawaii, a port in Houston and an oil-and-gas processing facility. Investigators, both at the Federal Bureau of Investigation and in the private sector, found the hackers lurked, sometimes for years, periodically testing access. At a regional airport, investigators found the hackers had secured access, and then returned every six months to make sure they could still get in. Hackers spent at least nine months in the network of a water-treatment system, moving into an adjacent server to study the operations of the plant. At a utility in Los Angeles, the hackers searched for material about how the utility would respond in the event of an emergency or crisis. The precise location and other details of the infrastructure victims are closely guarded secrets, and couldn't be fully determined.
American security officials said they believe the infrastructure intrusions — carried out by a group dubbed Volt Typhoon — are at least in part aimed at disrupting Pacific military supply lines and otherwise impeding America's ability to respond to a future conflict with China, including over a potential invasion of Taiwan... The focus on Guam and West Coast targets suggested to many senior national-security officials across several Biden administration agencies that the hackers were focused on Taiwan, and doing everything they could to slow a U.S. response in a potential Chinese invasion, buying Beijing precious days to complete a takeover even before U.S. support could arrive.
The telecom breachers "were also able to swipe from Verizon and AT&T a list of individuals the U.S. government was surveilling in recent months under court order, which included suspected Chinese agents. The intruders used known software flaws that had been publicly warned about but hadn't been patched."
And ultimately nine U.S. telecoms were breached, according to America's deputy national security adviser for cybersecurity — including what appears to have been a preventable breach at AT&T (according to "one personal familiar with the matter"): [T]hey took control of a high-level network management account that wasn't protected by multifactor authentication, a basic safeguard. That granted them access to more than 100,000 routers from which they could further their attack — a serious lapse that may have allowed the hackers to copy traffic back to China and delete their own digital tracks.
The details of the various breaches are stunning: Chinese hackers gained a foothold in the digital underpinnings of one of America's largest ports in just 31 seconds. At the Port of Houston, an intruder acting like an engineer from one of the port's software vendors entered a server designed to let employees reset their passwords from home. The hackers managed to download an encrypted set of passwords from all the port's staff before the port recognized the threat and cut off the password server from its network...
Yes (Score:3, Informative)
Re: Yes (Score:4, Insightful)
Especially since many critical systems now are cloud based and not local, so just deny the cloud access and a company may go under.
Re: Yes (Score:4, Insightful)
This. So many companies have "cloud first" initiatives, at first because even if OpEx was 10x the cost of CapEx, it made a company look lean and mean to not have actual stuff bought.
If the bad guys got into AWS or Azure, and for example, were able to create a user that would authenticate as Entra as Global Admin, not show up on logs, and allow for full access, almost every F500 company in the US would be hosed. If someone hacked AWS and managed to nuke all the EC2 instances in an AZ, that would be trillions of dollars of losses right there.
Yes, people believe tossing eggs in a secure basket is good, but when you get a basket that chock full of goodies that it allows for full authentication in almost any major company in the US, the bad guys are going to do nation-state tier stuff to get in, including compromising admins (extortion/ransom), and other big-money attacks that would be worthy of a spy movie, just because the rewards are there. If a hacker group managed to shut down every AWS AZ and zap all its data, they would have a unique, and unparalleled place in history as "heroes" the world over, as well as enough street cred to always have a base of operations in any country that doesn't have an extradition agreement to the US and EU.
The cloud is the biggest weakness in the US. If Entra was down for good, every company in the US would be down for good too.
Re: (Score:2)
Re:Yes (Score:5, Insightful)
Indeed. But not only with China. Too many US organizations and Enterprises are laughably easy to hack, due to a lack or regulation. The market will not do it.
Re:Yes (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
That was probably a joke about attackers using machines they have hacked before to obscure where they come from _and_ the US government being to stupid to know that. This comes up regularly when some violent no clue cavemen call for "shooting back".
Re: (Score:2, Interesting)
Ah, yes, the phantasmagorical fearsome North Korean hacker army, whose country's entire Internet access relies on a couple of fiber links that have to go through the Great Firewall of China, who somehow manage to acquire elite skills without any competent instructors using antiquated cast-off machines from China and Russia. BE AFRAID!! BE VERY AFRAID!!11!!
I never ceases to amuse me that people always assume that it's governments attacking, not professional mercenary hackers. And of course never mentioned
Re: (Score:3)
Ah, yes, the phantasmagorical fearsome North Korean hacker army, whose country's entire Internet access relies on a couple of fiber links that have to go through the Great Firewall of China, who somehow manage to acquire elite skills without any competent instructors using antiquated cast-off machines from China and Russia. BE AFRAID!! BE VERY AFRAID!!11!!
They seem to have functional nukes and have not blown themselves up yet so there must be some smart people there. Indeed if you are a smart person in NK where else are you going to work besides the government lol. You don't need supercomputer horsepower to be effective either, you can still do a lot of damage from a cast-off machine. Even from your mom's basement.
I never ceases to amuse me that people always assume that it's governments attacking, not professional mercenary hackers.
There are those too of course. They mostly want ransoms which is an important but different threat.
And of course never mentioned are the Pentagon's several thousand absurdly named "cyber warriors", or the multiple Israeli military and criminal cracker groups, or the intel agencies with their collections of Zero Days.
Yeah, you don't hear much about what "our"
Re: (Score:1)
They seem to have functional nukes
Wow, they've managed to build up to 1945 level of technology! How impressive!
Considering that in China adequate network security is required by law, and tested with serious fines for failure, it's likely that we're not getting very far. They scrapped their Cisco gear over a decade ago, so they can control the Great Firewall as tightly as they want.
Re: (Score:3)
Wow, they've managed to build up to 1945 level of technology! How impressive!
Indeed one of only a handful of countries to do so.
Considering that in China adequate network security is required by law, and tested with serious fines for failure, it's likely that we're not getting very far.
I have absolutely no reason to believe Chinese coders are more capable of writing secure code than westerners. Laws and fines do not magically make code secure. Certainly as an end user Chinese apps are almost universally cringe-worthy.
Re: (Score:1)
One of the few countries stupid enough to waste a massive amount of resources on a weapon that they can't use. Not much of a recommendation.
Ironically China doesn't have that problem... (Score:3)
The ironic thing is that because of how Chinese corporations are structured, where the government always has their reps on board, they actually value security. Where a US company will say that "security has no ROI, and we don't care about user data like this list of SSNs", a Chinese company will be told by the government that they are going to achieve a security level, where data is stored at a baseline, even it means the company makes less money. With a government in charge, they can do things that would
Re: (Score:2)
Damn, I wish I had mod points - I'd just mod you Insightful instead of replying.
The ironic thing is that because of how Chinese corporations are structured, where the government always has their reps on board, they actually value security. Where a US company will say that "security has no ROI, and we don't care about user data like this list of SSNs"...
While good for security in the ways you mentioned, the Chinese model has other oft-discussed glaring flaws. But Western nations could reap a substantial portion of those Chinese security benefits if they just held corporations meaningfully accountable for both their actions and their inaction. A few fines in the tens-of-billions range, and a few penalty-initiated bankruptcies, would be a hell of a wake-up call to both C-levels a
Re: (Score:2)
Indeed. Liability and/or regulation with _real_ teeth would do it nicely. Well, the EU is slowly moving in that direction. The US, not so much.
Re: (Score:1)
Bits and Bytes are cheaper than Bullets and Bombs. ...yeah that's where it's happening even now.
So
https://www.researchgate.net/publication/314435081_Bits_and_Bytes_vs_Bullets_and_Bombs
and who will pick up the tab for changing out of t (Score:2)
and who will pick up the tab for changing out of the cheapest bidder for outsourced IT
Old pot calling new kettle black (Score:2, Redundant)
Snowden showed us how insistent Bush and Cheney were about expanding US dominance and direct control over foreign governments. It's no surprise that others have since decided not to sit idly by.
Future Conflict? Where has the WSJ been for the pa (Score:1)
Re: (Score:2)
That rag is pure Project Mockingbird.
The number of "anonymous intelligence sources" articles is staggering.
Assign zero credibility. Some won't be wrong but you can't trust any.
Re: Future Conflict? Where has the WSJ been for th (Score:2)
Betteridge's Law (Score:5, Interesting)
No.
China's computer networks will be the key battlefield in a cyber war.
Ukraine shows us that war is still a matter of hardware spilling blood in the mud and not much happens on the cyber front beyond propaganda.
Cyber interruption of the power grid isn't a thing, so much as missiles into the power plant.
Re:Betteridge's Law (Score:4, Informative)
Fortunately most SCADA networks are air gapped, but the networks of the companies that run the power grid are not so well protected. How long do you think that Pacific Gas & Electric will be able to function without its operations and management staff being able to communicate with the guys in the field? Where are they going to get power when short term contracts (some of which last only hours) expire and their phone and email networks are down? Now with Smart Meters communicating over cellular links the ability to simultaneously shut off tens of thousands of meters would be economic and social disasters (especially in winter), and the resulting crash in electrical usage will put a large metropolitan grid into serious imbalances and could easily cause major hardware to fail. Even the air-gapped SCADA networks rely on non-protected assets like UPS power and air conditioning.
TLDR; Not all the dangerous infrastructure attacks are obvious.
Re: (Score:2)
How is Ukraine's economy and infrastructure digitized compared to the US? Maybe they've managed to do it more securely rather than every company rush to dump everything into a single point of failure (cloud services) and outsource all their labor. As far as Ukraine's power plants, they sound like old Soviet tech, it wouldn't surprise me if they don't have a network connection on anything critical.
It's easy for Russia to send a missile into Ukraine because they're already engaged in full-scale war. They also
Re: (Score:3)
No.
China's computer networks will be the key battlefield in a cyber war.
Ukraine shows us that war is still a matter of hardware spilling blood in the mud and not much happens on the cyber front beyond propaganda.
Cyber interruption of the power grid isn't a thing, so much as missiles into the power plant.
Battlefield arenas in a real hot war will not be confined to just that battlefield. If China disabled most of the US electrical grid, that would be tantamount to a declaration of war, and the response would not be confined to just computer security related responses. That is, in terms of declaring war, there is no difference between a computer security attack versus a Pearl Harbor type of attack. They're essentially the same declaration of war. Since the US has identified China as being capable of disab
More like a "Key Embarrassment". (Score:3)
The US has made the strategic mistake of allowing its industry to have "cheap" IT Security with no consequences, completely overlooking that networks happen to be global and that there is really no way to change that. So not a "battlefield". More a "site of an upcoming and long-term catastrophic defeat".
Good luck!
As to Europe, the situation is a bit better due to stricter privacy laws, which also demand IT security according to the state-of-the-art and that come with real penalties. Not really good either with things like o365 and US clouds in use, but at least the topic has not been completely ignored. There is also KRITIS (NIS2) which will bring regulation, penalties and reporting to a lot of industries that did not have any so far. The US would do well to copy all that posthaste.
Re: (Score:3)
The phrase "security has no ROI" has been a part of company DNA for decades. Maybe even since the 1990s, when people decided it was A-OK to start putting confidential stuff on a public network, as opposed to having separate networks that were not directly connected to the Internet.
Especially with this offshoring push. If you allow foreign companies to manage your stuff, you allow foreign governments and their intel divisions into your stuff. This is a fact lost on a ton of F500 companies. All it takes i
Re: (Score:2)
The really stupid thing is that, of course, security _has_ an ROI and it is typically a nice one. It just realizes only over a few years and sometimes one or two decades. If you are blind for long-term strategy, of course it would look like there is no ROI. But remember that banks have vaults and they are pretty much a result from the same effect after it got _really_ bad.
Re: (Score:2)
Agreed. Security has a ROI if one has common sense. However, we are talking about the general business management who really doesn't care, because even an egregious breach will be all but forgotten in a quarter. The only thing it -might- affect is that they have to coerce/bribe/persuade client or government officials harder in order to keep the contracts renewed.
Re: (Score:2)
Until it gets bad enough that no amount of bribes or coercion will help. And it will get that bad. But seeing that would require strategic insight.
Re: (Score:2)
I wonder when that point would get reached. I thought it would be reached when peoples' credit card details were released, or after the OPM breach, but it seems that no matter what the leak, a mass LifeLock subscription purchase, some PR stating, "well, the person who did that is no longer with us, and we forced everyone to change their AD passwords" is good enough to have the event forgotten about next quarterly investor meeting.
I do wonder what type of event would action to be taken. Right now absolutel
Re: (Score:2)
I think we are getting close. For example, the 2021 complete (!) exchange online compromise (discovered in 2023 and not by Microsoft) would have done it if the attackers had been after sabotage. So would, say, permanently bricking 50% of all Windows computers, which the TPM requirement may actually make possible. Or maybe taking down some critical infrastructure long-term over the Internet.
Honestly, at this time the vulnerabilities are bad enough for a number of large-scale catastrophes to be entirely plaus
Do they have Microsoft machines on them? (Score:3)
Do these networks have Microsoft machines on them? If so then they are death zones for corporate security. Re-image all those machines with Linux and now you've got a citadel instead of a flophouse.
Re: Do they have Microsoft machines on them? (Score:2)
Not even Linux might be enough these days. Maybe the MLS version of Linux.
Re: (Score:2)
MLS is one thing, but for desktops, having an immutable OS may be a must have as well, maybe even going to a complete container based system like QubesOS, where there is effective application isolation.
There are a lot of layers to think about for effective security. Everything from how applications communicate with each other to what applications can communicate to what sites. It might be a plus where applications come with a manifest of sites they can connect to, and are barred from trying to connect to
Re: (Score:2)
You are basically describing the capabilities of SE Linux, the Linux security framework. Very mature, very flexible and very hermetic. Not going to wipe your ass for you, there's a learning curve.
Re: (Score:2)
SELinux and AppArmor are useful, but this is a different layer. SELinux has a learning curve, but with tools like audit2allow, developers can ensure their applications have the permissions they need without too much trouble.
Linux does have some good protection mechanisms, such as SELinux/AppArmor, and fapolicy. However, it may not be bad to look at "taller fences" similar to what QubesOS has.
Re: (Score:3)
Configuration is everything. Cluefull sysadmins are everything. With Linux at least you can count on the tools to support you accurately, reliably and verifiably. But in the end security is a process that is up to you.
Re: (Score:3)
By the way, one thing that is true of Linux: every flavor of Linux is capable of being reconfigured to have exactly the same security details as every other flavor. In particular, Debian, which has now firmly established itself as ground zero of all Linux distributions, is infinitely re-configurable. Speaking from experience. So you can go drink the Kali Linux koolaid if you like - I for one will not disparage you, far from it - but please sort the hype from reality. Nothing you can do with Kali is impossib
Re: (Score:3)
Sure, convert everything to Linux and throw away your Active Directory, Group Policy, centralized software management, and pretty much everything else that keeps your systems secure. Sounds like a great idea!
Re: (Score:2)
Except that centralized management and AD are the gold targets within an organization.
If they are cracked you'll have 6 months of hell and an eternity of stupidity from management. My workplace suffered that. A worldwide spanning attack of ransomware due to a cracked global AD.
Re: (Score:2)
I missed the part where "Active Directory, Group Policy, centralized software management" keep your systems secure? Not that I expect you to be able to explain yourself. You are obviously part of the problem, and the problem is serious indeed.
Re: (Score:2)
Does Linux have a decent LDAP for authentication? An auditable file system as controllable as NTFS? A way to lock down desktops for all authenticated machines? A way to force updates on all systems before they're allowed to connect to the domain? No? Then how would you know that your systems are secure? You don't, which is why almost all large networks are Microsoft-based (outside of China).
Re: (Score:2)
Re: (Score:2)
And considering that there is no Linux equivalent to Active Directory, NTFS, and Group Policy unless the admin is **very** good it's going to be considerably worse.
War? (Score:2)
Given the state of ... (Score:3)
What is the NSA doing to China? (Score:2)
Cyberattackers are military weapons :o (Score:2)
Re: (Score:2)
Not really, how long do you think that, for example, Puget Sound Energy would be able to continue serving their customers if their corporate network were in shambles? If you can't dispatch trucks to repair lines, can't purchase power because you can't communicate with anyone, can't anticipate changing loads, etc. then very rapidly an 'electrical grid' becomes a collection of disparate microgrids, and then falls apart completely. If Exxon can't schedule deliveries and pickups they have to shut down their r
Re: (Score:2)
I fail to follow your logic. The obvious solution is for each utility to run their critical infrastructure on VPNs running on embedded hardware with multiple routes across the public Internet.
Re: (Score:2)
What is "critical infrastructure" today? In 2020 we found out that grocery stores and refrigeration repair guys came under that heading. Do you think they're going to hire people competent to protect their back end systems? (If so you don't know much about the retail industry.) I've worked with IT staff across a wide range of industries, and competency varies dramatically from place to place. For example in Anchorage the largest hospital was unable to keep IT staff since corporate insisted on paying Lo
Modern top-teir militaries are (Score:1)
Plus, absolutely nothing will be a surprise. If you look back, you’ll realize that we knew Putin was gonna invade Ukraine and were broadcasting it for many months before it actually happened. Anyone actually expressing surprise was either truly not paying attention or just putting on a pikachu face.
And a Taiwan takeover would be a major
Re: (Score:2)
a Taiwan takeover would be a major naval invasion.
I think a blockade is far more likely and far more difficult to defend against. I don't think it would really require a lot of apparent preparation.
This was a WSJ article? I would have expected their analysis to be a tad better.
I don't know why. They are bunch of Neo-conservative ideologues. If it were a business analysis I would agree with you. But given the state of the media, I suspect a lot of their business analysis is also questionable.
Re: (Score:2)
Re: (Score:2)
Yeah, it could be economically hard for Taiwan, but it's pretty unlikely that the island will roll over and give up, and it's not like China can starve the island into submission under any reasonable time frame.
Why not? Taiwan is an island and I thought it was largely dependent on imports for most things. Most countries that trade with China are not going to care much what they do with regard to Taiwan. Almost every country in the world has a one China policy that recognizes Taiwan as a part of China. A blockade is less likely to draw humanitarian responses than a full scale invasion.
Re: (Score:3)
Why does EVERYTHING have to be viewed by the Americans as a potential "battlefield".
Because our current ruling elite came of age as the people running "the worlds only superpower". They imagine it is their birthright to run the world. And most Americans don't really think they have much at stake because its always been other people being bombed etc. The shock of 911 wore off pretty quickly.
Just 2 things ... (Score:1)
... this is what I think:
1. any network is vulnerable to attacks, so yes it is.
2. when is china going to be hacked?
You can type this cyber BS .. (Score:2)
You can type this cyber BS but we don't have to believe it.
And we are not doing the same to them? (Score:2)
Either that news is being supressed (concerning) ,
or we are not hacking chinese infrastructure (scary).