Slashdot Mirror
US Unable To Win a Cyber War
An anonymous reader writes "The inability to deflect even a simulated cyber attack or mitigate its effects shown in an exercise that took place some six days ago at Washington's Mandarin Oriental Hotel doesn't bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. 'We're the most vulnerable. We're the most connected. We have the most to lose,' he stated. Three years ago, McConnell referred to cybersecurity as the 'soft underbelly of this country' and it's clear that he thinks things haven't changed much since then."
If you watched the broadcast of this exercise on CNN, you heard many people arguing for things that the government just can't do such as ordering telcos to disable all smartphones, suspending rights, and even nationalizing the power companies.
They spent so much time being told by the simulated AG what they couldn't do, they didn't have time left to discuss what they could do.
a.k.a. All your base are belong to us.
Love many, trust a few, do harm to none.
More government intervention and monitoring of the Internet, to be outsourced to 3rd party vendors which are politically connected?
Nah, couldn't happen.
Given the completely ignorant approach the Legislative and Judiciary powers in the United States of Jeebus have taken to the Internet, I am not surprised that the Executive power is also doing it wrong.
Nothing lasts forever but the certainty of change.
Pretext to OpenID and government surveillance.
All this proves is that the moronic politcal machine has no idea how to conduct real world I.T. tests
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Why are things like power plants, banks, or telcos directly connected to the internet? You'd think they could afford a completely separate network.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
The headline should really read: "Overseas hacker's computers unable to defeat incoming U.S. nukes."
That would be much more accurate, if we are going to talk about WAR.
That "excercise" was conducted by a bunch of former Bush officials and other neocons. It wasn't a test of our cyber security, it was a propaganda tool designed to embarass the Obama administration and urge a further erosion of our civil liberties.
SJW: Someone who has run out of real oppression, and has to fake it.
I wonder how much of this new fear has to do with revving up support for ACTA/etc.
One that hath name thou can not otter
We are BOFH. You want Mutual Assured Destruction? We make the USAF look like wusses.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
If you're captured by the enemy, there are just three pieces of information you are compelled to divulge: Age, Sex, and Location.
Bow-ties are cool.
I wrote this to The Atlantic, which is a "think piece" magazine read by some decision makers in Washington.
After seeing that show, I was struck by the cluelessness of the panelists. I don't expect them to understand how networks really work, but they didn't even understand the organizations involved. Key organizations in a crisis like that would be the North American Network Operators Group and the North American Electric Reliability Council, along with the US Computer Emergency Response Team. The participants didn't know that, and they didn't have staffers to tell them.
The panelists were obsessing over whether they had enough authority to do something, while totally lacking any idea of what to do.
There are a few reasonable steps they could have taken at their level.
Having taken the initial steps, the next priority is bringing the electrical grid back up. If substations were damaged, it may be necessary to move some very large transformers around, and possibly to import them from other countries. Military assets (i.e. big transport aircraft) should be made available to help with that.
In parallel with this, the intelligence community and DoD can work on who's behind the attack. But that's not going to be dealt with in the first hours. Don't obsess on hitting back.
The US has been and will be stuck back in WWII thinking until it's too late. When you invest in war ships, tanks and fighter planes you have something "show" people. It's pretty hard to demonstrate what you got for the money when it comes to the security of intangible things. The installation of a firewall just doesn't make one go "oooh and ahhh" like the vaporized city and mushroom cloud from a 10 mega-ton ICBM. Even a security fence and a camera or two around a municipal water supply isn't very "impressive" compared to the demonstration of raw power an F-22 can unleash.
Worse still is when people do play "tickle-tickle" with our soft underbelly the response tends to be blowing up FedEx packages, taking off our shoes, having dogs sniff our crotch, and groping pregnant ladies.
Two of my imaginary friends reproduced once
Unfortunately for the U.S., the problem started decades ago. The downfall began when the corporations convinced politicians to make stronger and stronger laws to punish those who hack their system or product. This led to the idea that instead of fixing any security issues, it was easier and cheaper to try to punish those who hacked. Fast forward to today, and now theres the more laws, EUA's, DMCA's, etc.
If you discover exploits and try to go public with it. The first thing the targeted company might try to do to squash the "exploit" is either litigate or file criminal charges.
I'm not saying that there shouldn't be laws against hacking into systems, but the current environment doesn't bode well for making these system any more secure. It would be nice if there was some kind of "whistle blower" protection for those who discover exploits and maybe a company or government agency that you could disclose these exploits to in order to receive this protection.
Maybe there could be laws inacted that require a company to fix the exploit within a certain amount of time once it has been reported or something. If not they could either be fined or held accountable if any sensitive data is breached. Not sure, but something needs to be changed.
The real Sig captains the Northwestern. This one captains
... is social engineering. No firewall can isolate you from human stupidity, and more accessible information about everything (that either is public, or can be obtained thru directed trojans/botnets) gives good base for such kind of approach.
A "Cyberwar" will be used as part of a campaign for a larger objective. When (not if) China chooses to "annex" Taiwan, the attack would likely go as follows:
US power plants go down because of SCADA systems attached available to anyone who finds them. Other embedded systems will get torn apart, from HVAC systems to traffic light control, paralyzing cities. This will happen all at once, both on CONUS, but on ports the US uses abroad, and in Taiwan as well. As a farewell gift, routers and such are zapped of all configuration to make it harder to reconnect and get infrastructure working, especially core wireless items, such as the infrastructure between towers. Even worse, most companies and organizations have no backup infrastructure in place so a simple dd if=/dev/zero of=/dev/sda will cause permanent data loss. Or random corruption is done to archive records, making them unusable for criminal or civil proceedings down the line.
By the time the mess is cleaned up (and with embedded systems, there *will* be physical damage, such as safety valves jammed shut, causing BLEVEs), the Red Guard will have firmly garrisoned the island nation and will be telling the US that an attack there will result in a nuclear exchange.
Another possibility will be an attack against the Falkland Islands by Argentina. As of recently, that nation has been wanting to take British oil interests in the area, even trying to attack oil rigs. One can expect the UK to be hit by a coordinated attack on critical systems, as well as its allies. Then the next thing would be Argentina with help from Chavez (who is in dire need of a military victory against Europe and the US to bolster his credibility) will be invading the Falkland Islands. No, the islands may not be a major strategic issue, but they have a lot of oil underneath, and would love to attack the UK's oil interests and turn the oil derricks into torches.
Of course, there is Russia. America's grid goes down, and Russia pushes into Western interests without a shot being fired. Since most of Europe went "green" and ditched their national security for reliance on Russian gas, expect no help from France or Germany, as neither country wants its population to freeze to death, and both countries like their cities to have their lights on. It wouldn't even take a cyberattack to make Europe kowtow to Russia... just the threat of turning off the natural gas pipes.
Of course, the Middle East comes to mind. The one oil pipeline that Russia hasn't seized yet that goes through Georgia. Georgian computers go down, American grid suffers, Russian tanks plow into Georgia proper calling it a police action, depose the government and set up a puppet system. Combine that with a military action to grab control of the Persian Gulf, and Russia now has complete control of Europe's and America's oil supplies. Game. Point. Match. Checkmate.
The problem? A good number of American companies don't give a shit about security. Since security has no ROI, little but lip service is paid in that direction. They expect that they can hire an army of consultants to repair any breach 24/7, so don't do anything except put some random policies in place. Of course, come a military strike against American interests, these companies will be having their systems used as staging points and proxies to make it virtually impossible to find out who disabled a cooling system at a nuke plant, causing a SCRAM across all reactors and plunging the grid into a blackout.
When a "cyber attack" that is worth the name happens, the lights will go off, then the ships will sail into some country's harbor, and the troops will be moving in. It won't be done just for giggles by some foreign nation, it will be done in concert with another brutal offensive.
dont buy this cyberwar bullshit. they are just using it as an excuse to justify internet control schemes they want to bring upon you americans. remember how terrorism was used to bring liberties-infringing 'security' measures in all aspects of life. its the same shit, repeating itself.
do NOT buy it.
From an article about the "mock cyber attack":
"...A bevy of former top US officials were given various roles to play:
The entire scenario was thought up by Michael Hayden, the former CIA Director, and the faux attack began with malware masquerading as a free March Madness application for smartphones...."
Not only the same shit, but the same shit doled out by the same people.
"The plural of anecdote is not data" -- Bruce Schneier
Between government regulations and the unions you aren't going to have an opportunity to bring back manufacturing to the US.
The misunderstanding is that manufacturing ever "left" the US.
US manufacturing output reached an all-time-high of $1.6 trillion in 2007, nearly double the $811 billion in 1987.
It is true that US manufacturing jobs are on the decline, but not because we are not manufacturing, but because manufacturing productivity is rising. More machines/robots are doing the work, and where humans are involved, the US is concentrating on higher value products.
This is EXACTLY what we saw in the farm industry. In 1900, 30% of Americans worked on a farm. Today, fewer than 2% do, but the US produces more food than it did in 1900 with far fewer workers and less land.
If the (mostly) low value-add manufacturing done by China had to be done in the US, it would be done by machines, not human workers.