Slashdot Mirror
US Unable To Win a Cyber War
An anonymous reader writes "The inability to deflect even a simulated cyber attack or mitigate its effects shown in an exercise that took place some six days ago at Washington's Mandarin Oriental Hotel doesn't bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. 'We're the most vulnerable. We're the most connected. We have the most to lose,' he stated. Three years ago, McConnell referred to cybersecurity as the 'soft underbelly of this country' and it's clear that he thinks things haven't changed much since then."
If you watched the broadcast of this exercise on CNN, you heard many people arguing for things that the government just can't do such as ordering telcos to disable all smartphones, suspending rights, and even nationalizing the power companies.
They spent so much time being told by the simulated AG what they couldn't do, they didn't have time left to discuss what they could do.
a.k.a. All your base are belong to us.
Love many, trust a few, do harm to none.
Tell us something we don't know. When script kiddies can invade government networks, I'd say that we are pretty much screwed if an all-out digital conflict were to happen.
Living With a Nerd
More government intervention and monitoring of the Internet, to be outsourced to 3rd party vendors which are politically connected?
Nah, couldn't happen.
Given the completely ignorant approach the Legislative and Judiciary powers in the United States of Jeebus have taken to the Internet, I am not surprised that the Executive power is also doing it wrong.
Nothing lasts forever but the certainty of change.
Pretext to OpenID and government surveillance.
To me, all that pony show was six days ago was a mock news and propaganda freak show. It just showed that congressional leadership and suit monkeys couldn't deal with the situation, it didn't say anything about whether our infrastructure or the closet tech experts in charge of it could effectively deal with it.
I also might add, "GNN" did a pretty poor job, too. I didn't catch all of it, but the little I did, it also showed me that there's also an inability on the news reporting front, too.
Luckily, I've setup my server farm in my old bomb shelter.
All this proves is that the moronic politcal machine has no idea how to conduct real world I.T. tests
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Why are things like power plants, banks, or telcos directly connected to the internet? You'd think they could afford a completely separate network.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
The headline should really read: "Overseas hacker's computers unable to defeat incoming U.S. nukes."
That would be much more accurate, if we are going to talk about WAR.
If there was an actual cyber war, we would respond with real war.
We're far and away the best at that.
Random attacks showing the ineptitude of aren't a cyber war. When someone starts launching missles and redirecting our navy clear a path for an attack, then it'll be a cyber war.
When some schlubs steal buckets of personal data, mess with the power grid, or disrupt internet traffic it's just another day in the U S of A.
That "excercise" was conducted by a bunch of former Bush officials and other neocons. It wasn't a test of our cyber security, it was a propaganda tool designed to embarass the Obama administration and urge a further erosion of our civil liberties.
SJW: Someone who has run out of real oppression, and has to fake it.
I wonder how much of this new fear has to do with revving up support for ACTA/etc.
One that hath name thou can not otter
For the same reason we can't win a space war, we have the most to lose. The more systems you have dependent on an asset, the more vulnerable you become in that asset.
Note however, that doesn't mean you are in a weaker position, an asset is still an asset.
Convenience isn't just convenient, it is time saved you can use to do other things. We just need to start waking up to what is a security risk and what isn't. What we need to protect and what we don't and finally drills on what to do if the primary system fails.
We are BOFH. You want Mutual Assured Destruction? We make the USAF look like wusses.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
If an attack was serious enough, we could just start disengaging connections to outside the US, then start dealing with the aspects that were attacking from inside the borders. This is probably mostly government propaganda to make the US look weaker than it really is.
If you're captured by the enemy, there are just three pieces of information you are compelled to divulge: Age, Sex, and Location.
Bow-ties are cool.
I wrote this to The Atlantic, which is a "think piece" magazine read by some decision makers in Washington.
After seeing that show, I was struck by the cluelessness of the panelists. I don't expect them to understand how networks really work, but they didn't even understand the organizations involved. Key organizations in a crisis like that would be the North American Network Operators Group and the North American Electric Reliability Council, along with the US Computer Emergency Response Team. The participants didn't know that, and they didn't have staffers to tell them.
The panelists were obsessing over whether they had enough authority to do something, while totally lacking any idea of what to do.
There are a few reasonable steps they could have taken at their level.
Having taken the initial steps, the next priority is bringing the electrical grid back up. If substations were damaged, it may be necessary to move some very large transformers around, and possibly to import them from other countries. Military assets (i.e. big transport aircraft) should be made available to help with that.
In parallel with this, the intelligence community and DoD can work on who's behind the attack. But that's not going to be dealt with in the first hours. Don't obsess on hitting back.
The US has been and will be stuck back in WWII thinking until it's too late. When you invest in war ships, tanks and fighter planes you have something "show" people. It's pretty hard to demonstrate what you got for the money when it comes to the security of intangible things. The installation of a firewall just doesn't make one go "oooh and ahhh" like the vaporized city and mushroom cloud from a 10 mega-ton ICBM. Even a security fence and a camera or two around a municipal water supply isn't very "impressive" compared to the demonstration of raw power an F-22 can unleash.
Worse still is when people do play "tickle-tickle" with our soft underbelly the response tends to be blowing up FedEx packages, taking off our shoes, having dogs sniff our crotch, and groping pregnant ladies.
Two of my imaginary friends reproduced once
Frankly, I feel the US is more prepared than most countries. Unfortunately, that still doesn't quite cut it.
I think the threat of indefensible counter-attack is going to make any government think twice about a full-on cyber-attack, taking the same role nuclear retaliation did during the Cold War.
- Despite popular opinion, I am not perfect.
Unfortunately for the U.S., the problem started decades ago. The downfall began when the corporations convinced politicians to make stronger and stronger laws to punish those who hack their system or product. This led to the idea that instead of fixing any security issues, it was easier and cheaper to try to punish those who hacked. Fast forward to today, and now theres the more laws, EUA's, DMCA's, etc.
If you discover exploits and try to go public with it. The first thing the targeted company might try to do to squash the "exploit" is either litigate or file criminal charges.
I'm not saying that there shouldn't be laws against hacking into systems, but the current environment doesn't bode well for making these system any more secure. It would be nice if there was some kind of "whistle blower" protection for those who discover exploits and maybe a company or government agency that you could disclose these exploits to in order to receive this protection.
Maybe there could be laws inacted that require a company to fix the exploit within a certain amount of time once it has been reported or something. If not they could either be fined or held accountable if any sensitive data is breached. Not sure, but something needs to be changed.
The real Sig captains the Northwestern. This one captains
... is social engineering. No firewall can isolate you from human stupidity, and more accessible information about everything (that either is public, or can be obtained thru directed trojans/botnets) gives good base for such kind of approach.
Have you heard of Infragard?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
A "Cyberwar" will be used as part of a campaign for a larger objective. When (not if) China chooses to "annex" Taiwan, the attack would likely go as follows:
US power plants go down because of SCADA systems attached available to anyone who finds them. Other embedded systems will get torn apart, from HVAC systems to traffic light control, paralyzing cities. This will happen all at once, both on CONUS, but on ports the US uses abroad, and in Taiwan as well. As a farewell gift, routers and such are zapped of all configuration to make it harder to reconnect and get infrastructure working, especially core wireless items, such as the infrastructure between towers. Even worse, most companies and organizations have no backup infrastructure in place so a simple dd if=/dev/zero of=/dev/sda will cause permanent data loss. Or random corruption is done to archive records, making them unusable for criminal or civil proceedings down the line.
By the time the mess is cleaned up (and with embedded systems, there *will* be physical damage, such as safety valves jammed shut, causing BLEVEs), the Red Guard will have firmly garrisoned the island nation and will be telling the US that an attack there will result in a nuclear exchange.
Another possibility will be an attack against the Falkland Islands by Argentina. As of recently, that nation has been wanting to take British oil interests in the area, even trying to attack oil rigs. One can expect the UK to be hit by a coordinated attack on critical systems, as well as its allies. Then the next thing would be Argentina with help from Chavez (who is in dire need of a military victory against Europe and the US to bolster his credibility) will be invading the Falkland Islands. No, the islands may not be a major strategic issue, but they have a lot of oil underneath, and would love to attack the UK's oil interests and turn the oil derricks into torches.
Of course, there is Russia. America's grid goes down, and Russia pushes into Western interests without a shot being fired. Since most of Europe went "green" and ditched their national security for reliance on Russian gas, expect no help from France or Germany, as neither country wants its population to freeze to death, and both countries like their cities to have their lights on. It wouldn't even take a cyberattack to make Europe kowtow to Russia... just the threat of turning off the natural gas pipes.
Of course, the Middle East comes to mind. The one oil pipeline that Russia hasn't seized yet that goes through Georgia. Georgian computers go down, American grid suffers, Russian tanks plow into Georgia proper calling it a police action, depose the government and set up a puppet system. Combine that with a military action to grab control of the Persian Gulf, and Russia now has complete control of Europe's and America's oil supplies. Game. Point. Match. Checkmate.
The problem? A good number of American companies don't give a shit about security. Since security has no ROI, little but lip service is paid in that direction. They expect that they can hire an army of consultants to repair any breach 24/7, so don't do anything except put some random policies in place. Of course, come a military strike against American interests, these companies will be having their systems used as staging points and proxies to make it virtually impossible to find out who disabled a cooling system at a nuke plant, causing a SCRAM across all reactors and plunging the grid into a blackout.
When a "cyber attack" that is worth the name happens, the lights will go off, then the ships will sail into some country's harbor, and the troops will be moving in. It won't be done just for giggles by some foreign nation, it will be done in concert with another brutal offensive.
Yeah, all those explosions do tend to loosen things.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Perhaps its better if no country can win a war, cyber-based or otherwise. Think of it! Peace might break out, and we could begin using the assets that have traditionally been diverted from improving life toward aggressive political ends or empire building.
I understand the perception that a strong military provides security and protection, but this seems true only in as much as it preserves power structures that seek to concentrate wealth and preserve a class system. In the long run Mutually Assured Destruction hasn't improved anything for anyone. The overall systemic effect has been to encourage militarism amongst the so-called civilized societies. The opportunity cost is an unknown. What could be done with the brain power and economic power currently devoted to bigger guns, better bombs and mechanized warfare?
The military has conducted dishonest wargames before, gaming the rules to prevent the Red team from achieving a politically distasteful victory. Perhaps the parties involved can learn from their loss instead of pretending it didn't happen. Of course, if the Red Team was supposed to win, in order to bolster budget requests and score political points, we're back to meaningless pantomimes.
How many "accidental" undersea cable cuts in 2008? ...just saying...
-- Terry
dont buy this cyberwar bullshit. they are just using it as an excuse to justify internet control schemes they want to bring upon you americans. remember how terrorism was used to bring liberties-infringing 'security' measures in all aspects of life. its the same shit, repeating itself.
do NOT buy it.
From an article about the "mock cyber attack":
"...A bevy of former top US officials were given various roles to play:
The entire scenario was thought up by Michael Hayden, the former CIA Director, and the faux attack began with malware masquerading as a free March Madness application for smartphones...."
Not only the same shit, but the same shit doled out by the same people.
"The plural of anecdote is not data" -- Bruce Schneier
Between government regulations and the unions you aren't going to have an opportunity to bring back manufacturing to the US.
The misunderstanding is that manufacturing ever "left" the US.
US manufacturing output reached an all-time-high of $1.6 trillion in 2007, nearly double the $811 billion in 1987.
It is true that US manufacturing jobs are on the decline, but not because we are not manufacturing, but because manufacturing productivity is rising. More machines/robots are doing the work, and where humans are involved, the US is concentrating on higher value products.
This is EXACTLY what we saw in the farm industry. In 1900, 30% of Americans worked on a farm. Today, fewer than 2% do, but the US produces more food than it did in 1900 with far fewer workers and less land.
If the (mostly) low value-add manufacturing done by China had to be done in the US, it would be done by machines, not human workers.
The Persian Gulf only accounts for ~24% of US crude imports. While a loss, it won't stranglehold us. If all of OPEC were to cut off the U.S., it would be ~55% of our imports gone, which at that point we would likely stop exporting to Japan and others and shift the flows from Alaska back to us. OPEC, while a cartel, is not known for solidarity. Their profits would be hurt far too much for all of them to cut off the U.S. Besides, if we strategically place the U.S. Naval fleets we can cut off all the major world trade routes quite easily. From there, a couple surgical strikes on certain pipelines/supply lines and our "enemies" will be no better off than the U.S. The reason we are so "dependent" on foreign oil is not due to a lack of supply within our geopolitical borders, but rather a subtle strategic play to maintain resources in case a war like this were to occur. Why deplete our own resources during peace, leaving us dry during conflict; when we can use those of other countries, while safe guarding our own until we need to tap into the deposits.
If the US lost a "cyber war" enough to seriously damage our economic infrastructure, the world would lose.
Who imports all that stuff from China? A stalled US economy will lead to a lot of upset Chinese unemployed. Who still has the largest amount of global financial services? Care to try to cash in those stocks/bonds or "safe" US Treasury Securities when the US information infrastructure is down?
If the US real-estate bubble was enough to cause a global recession, what would happen if the entire information infrastructure of the US were taken out?
Any nation-state that thinks taking out the US will help them is stupid. Terrorism (the kind that can accept a global depression) is another story.
So you're saying we should build robots to sniff crotches and grope pregnant women?