Slashdot Mirror
US Unable To Win a Cyber War
An anonymous reader writes "The inability to deflect even a simulated cyber attack or mitigate its effects shown in an exercise that took place some six days ago at Washington's Mandarin Oriental Hotel doesn't bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. 'We're the most vulnerable. We're the most connected. We have the most to lose,' he stated. Three years ago, McConnell referred to cybersecurity as the 'soft underbelly of this country' and it's clear that he thinks things haven't changed much since then."
Tell us something we don't know. When script kiddies can invade government networks, I'd say that we are pretty much screwed if an all-out digital conflict were to happen.
Living With a Nerd
What they don't understand is that it isn't going to be the government or the military that responds to a real cyber attack, it's going to be a nation wide army of several hundred thousand IT admins working 70 hour weeks to keep their companies secure and operational. Once solutions are found they'll be posted to the web and disseminated faster than the new attacks can be devised. In short, cyberwarfare won't work for the exact same reasons that censorship won't work, there's too many people working against the attackers who can communicate too quickly and too effectively.
Or, to put it another way, http://xkcd.com/705
To me, all that pony show was six days ago was a mock news and propaganda freak show. It just showed that congressional leadership and suit monkeys couldn't deal with the situation, it didn't say anything about whether our infrastructure or the closet tech experts in charge of it could effectively deal with it.
I also might add, "GNN" did a pretty poor job, too. I didn't catch all of it, but the little I did, it also showed me that there's also an inability on the news reporting front, too.
Why are things like power plants, banks, or telcos directly connected to the internet? You'd think they could afford a completely separate network.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
There once was a time when we had the best, cutting edge people in the security biz. Yes, this was a long time ago, when we had most of the technology too.
Then they passed various laws, which had good intentions. But the negative side effects killed any curiousity that new students had in exploring this field. Businesses helped insure this death of talent, by threatening certain schools by not hiring students who took classes that the Businesses found threatening.
One could see the results a mile off. We have a whole generation who is ignorant and unprepared to fight such a war. Many of the more incompetent of them are even under the delusion that they are really hot stuff. But incompetent people are blind to their own incompetence, while the bad guys have free reign to test their skills every day.
If you want a chance at some hope to defend this nation, you need to free the students to explore and learn. Until that happens, yoo'll always be owned by the bad guys. There's not a chance in the world of this happening yet though. The entire rotten system has to come crashing down first. The good news is that with the $700 Trillion ponzi scheme of derivatives, this is about to happen via the Global Financial Crisis.
For the same reason we can't win a space war, we have the most to lose. The more systems you have dependent on an asset, the more vulnerable you become in that asset.
Note however, that doesn't mean you are in a weaker position, an asset is still an asset.
Convenience isn't just convenient, it is time saved you can use to do other things. We just need to start waking up to what is a security risk and what isn't. What we need to protect and what we don't and finally drills on what to do if the primary system fails.
You fail to realize that it is not "one network cable" that connects us to (lets say China). The robustness of the internet means that every route to China must be cut in order to stop the attack.
That means England has to cut their ties with China. And France. And so on and so forth until everyone that North America Can access no longer has access to China. If we leave the pipes open to India, and India is still open to China, thats a route through to the US. Thus we resort to IP Blocking, but then spoofing and Proxies comes into play - making things more complex.
The other solution to stop the attack, is to disconnect all the network cables that access any other country. Leaving you with an internet that spans North America Alone.
Personally, if it ever comes to a cyber war, I think it will boil down into a World War kind of thing. One side will cut ties and allegiances will be made. The West will be on their own private network and the rest of the world on theirs, creating two out of sync "Internets".
I wrote this to The Atlantic, which is a "think piece" magazine read by some decision makers in Washington.
After seeing that show, I was struck by the cluelessness of the panelists. I don't expect them to understand how networks really work, but they didn't even understand the organizations involved. Key organizations in a crisis like that would be the North American Network Operators Group and the North American Electric Reliability Council, along with the US Computer Emergency Response Team. The participants didn't know that, and they didn't have staffers to tell them.
The panelists were obsessing over whether they had enough authority to do something, while totally lacking any idea of what to do.
There are a few reasonable steps they could have taken at their level.
Having taken the initial steps, the next priority is bringing the electrical grid back up. If substations were damaged, it may be necessary to move some very large transformers around, and possibly to import them from other countries. Military assets (i.e. big transport aircraft) should be made available to help with that.
In parallel with this, the intelligence community and DoD can work on who's behind the attack. But that's not going to be dealt with in the first hours. Don't obsess on hitting back.
The US has been and will be stuck back in WWII thinking until it's too late. When you invest in war ships, tanks and fighter planes you have something "show" people. It's pretty hard to demonstrate what you got for the money when it comes to the security of intangible things. The installation of a firewall just doesn't make one go "oooh and ahhh" like the vaporized city and mushroom cloud from a 10 mega-ton ICBM. Even a security fence and a camera or two around a municipal water supply isn't very "impressive" compared to the demonstration of raw power an F-22 can unleash.
Worse still is when people do play "tickle-tickle" with our soft underbelly the response tends to be blowing up FedEx packages, taking off our shoes, having dogs sniff our crotch, and groping pregnant ladies.
Two of my imaginary friends reproduced once
Unfortunately for the U.S., the problem started decades ago. The downfall began when the corporations convinced politicians to make stronger and stronger laws to punish those who hack their system or product. This led to the idea that instead of fixing any security issues, it was easier and cheaper to try to punish those who hacked. Fast forward to today, and now theres the more laws, EUA's, DMCA's, etc.
If you discover exploits and try to go public with it. The first thing the targeted company might try to do to squash the "exploit" is either litigate or file criminal charges.
I'm not saying that there shouldn't be laws against hacking into systems, but the current environment doesn't bode well for making these system any more secure. It would be nice if there was some kind of "whistle blower" protection for those who discover exploits and maybe a company or government agency that you could disclose these exploits to in order to receive this protection.
Maybe there could be laws inacted that require a company to fix the exploit within a certain amount of time once it has been reported or something. If not they could either be fined or held accountable if any sensitive data is breached. Not sure, but something needs to be changed.
The real Sig captains the Northwestern. This one captains
A "Cyberwar" will be used as part of a campaign for a larger objective. When (not if) China chooses to "annex" Taiwan, the attack would likely go as follows:
US power plants go down because of SCADA systems attached available to anyone who finds them. Other embedded systems will get torn apart, from HVAC systems to traffic light control, paralyzing cities. This will happen all at once, both on CONUS, but on ports the US uses abroad, and in Taiwan as well. As a farewell gift, routers and such are zapped of all configuration to make it harder to reconnect and get infrastructure working, especially core wireless items, such as the infrastructure between towers. Even worse, most companies and organizations have no backup infrastructure in place so a simple dd if=/dev/zero of=/dev/sda will cause permanent data loss. Or random corruption is done to archive records, making them unusable for criminal or civil proceedings down the line.
By the time the mess is cleaned up (and with embedded systems, there *will* be physical damage, such as safety valves jammed shut, causing BLEVEs), the Red Guard will have firmly garrisoned the island nation and will be telling the US that an attack there will result in a nuclear exchange.
Another possibility will be an attack against the Falkland Islands by Argentina. As of recently, that nation has been wanting to take British oil interests in the area, even trying to attack oil rigs. One can expect the UK to be hit by a coordinated attack on critical systems, as well as its allies. Then the next thing would be Argentina with help from Chavez (who is in dire need of a military victory against Europe and the US to bolster his credibility) will be invading the Falkland Islands. No, the islands may not be a major strategic issue, but they have a lot of oil underneath, and would love to attack the UK's oil interests and turn the oil derricks into torches.
Of course, there is Russia. America's grid goes down, and Russia pushes into Western interests without a shot being fired. Since most of Europe went "green" and ditched their national security for reliance on Russian gas, expect no help from France or Germany, as neither country wants its population to freeze to death, and both countries like their cities to have their lights on. It wouldn't even take a cyberattack to make Europe kowtow to Russia... just the threat of turning off the natural gas pipes.
Of course, the Middle East comes to mind. The one oil pipeline that Russia hasn't seized yet that goes through Georgia. Georgian computers go down, American grid suffers, Russian tanks plow into Georgia proper calling it a police action, depose the government and set up a puppet system. Combine that with a military action to grab control of the Persian Gulf, and Russia now has complete control of Europe's and America's oil supplies. Game. Point. Match. Checkmate.
The problem? A good number of American companies don't give a shit about security. Since security has no ROI, little but lip service is paid in that direction. They expect that they can hire an army of consultants to repair any breach 24/7, so don't do anything except put some random policies in place. Of course, come a military strike against American interests, these companies will be having their systems used as staging points and proxies to make it virtually impossible to find out who disabled a cooling system at a nuke plant, causing a SCRAM across all reactors and plunging the grid into a blackout.
When a "cyber attack" that is worth the name happens, the lights will go off, then the ships will sail into some country's harbor, and the troops will be moving in. It won't be done just for giggles by some foreign nation, it will be done in concert with another brutal offensive.
even nationalizing the power companies.
I'm all for that, cyberwar or no. Maybe not have the power companies run by the US government, but by local or county governments. My gas company Amerin is a private utility that is a power company as well in most of the state, my electric comppany is CWLP, owned and operated by the city. The difference between these two utilities is astounding.
CWLP has excellent customer service, the lowest rates and the highest uptime of any electric utility in the state, and makes a tidy profit for the city as well, offsetting taxes that would otherwise have to be paid. My gas company, otoh, makes Comcast look good. The reason is simple: if CWLP's customer service goes bad, if the power is out much, or if the rates go up too much the Mayor loses his job.
Amerin's customer service is abysmal, but what is one to do? Many local folks have gone all-electric because of their shodddiness. There isn't even a local office to pay the bill, you have to snail mail it or go to a currency exchange and pay an extra dollar. It's not like you can go to the other gas company down the street, and propane is out of the question. Because of this, they are not beholden to anyone but the stockholders.
The free market works well when there is a free market, but there is no free market when it comes to utilities or any other natural monopoly. I'd like to see all utilities taken over by local or county governments. The customer has at least some say then.
Free Martian Whores!
Isn't all that flag waving, jingoist nonesense for the jocks and the more physically aggressive types in society? Why would those marginalised to their bedrooms and basements for much of their formative years feel any obligation or urge to fight for so ethereal a concept as a nation? What is a nation but a line drawn in the sand to divide one tax paying group of people from another tax paying group of people? Aren't there more interesting things to do like watching Battlestar Gallactica or playing Bioshock 2?
How many "accidental" undersea cable cuts in 2008? ...just saying...
-- Terry
The Persian Gulf only accounts for ~24% of US crude imports. While a loss, it won't stranglehold us. If all of OPEC were to cut off the U.S., it would be ~55% of our imports gone, which at that point we would likely stop exporting to Japan and others and shift the flows from Alaska back to us. OPEC, while a cartel, is not known for solidarity. Their profits would be hurt far too much for all of them to cut off the U.S. Besides, if we strategically place the U.S. Naval fleets we can cut off all the major world trade routes quite easily. From there, a couple surgical strikes on certain pipelines/supply lines and our "enemies" will be no better off than the U.S. The reason we are so "dependent" on foreign oil is not due to a lack of supply within our geopolitical borders, but rather a subtle strategic play to maintain resources in case a war like this were to occur. Why deplete our own resources during peace, leaving us dry during conflict; when we can use those of other countries, while safe guarding our own until we need to tap into the deposits.
If your country is blocking Anich, though, that does limit many things. The hacker in Anich can't directly attack your government box, nor can he directly connect to a hacked privately owned box in your country to then use to attack your government box. The hacker in Anich can't directly access *any* box through a route that goes through your country.
Now imagine that Anich has started a cyberwar against your country. Your country *and all its allies* block connections from Anich *and all Anich's allies*. Hackers in Anich now have to figure out a path through the few remaining countries that aren't blocking them. This may actually be impossible - perhaps every country bordering Anich is blocking Anich, which is a reasonable thing for them to do, considering they don't want their computers to be a network battleground for the attacks and counterattacks going on.
This doesn't make all activity stop - Anich could have agents physically inside other countries - but it stops Anich from using its planned strategy of utilizing the army of nationalist college students within its borders and claiming the government of Anich had nothing to do with it.