US Unable To Win a Cyber War

An anonymous reader writes "The inability to deflect even a simulated cyber attack or mitigate its effects shown in an exercise that took place some six days ago at Washington's Mandarin Oriental Hotel doesn't bode well for the US. Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. 'We're the most vulnerable. We're the most connected. We have the most to lose,' he stated. Three years ago, McConnell referred to cybersecurity as the 'soft underbelly of this country' and it's clear that he thinks things haven't changed much since then."

Let me guess the solution:

More government intervention and monitoring of the Internet, to be outsourced to 3rd party vendors which are politically connected?

Nah, couldn't happen.

Propaganda

Pretext to OpenID and government surveillance.

Re:Stupidity of leadership...

[eldavojohn]

In short, cyberwarfare won't work for the exact same reasons that censorship won't work, there's too many people working against the attackers who can communicate too quickly and too effectively.

Quiet, you fool! Imagine if they can convince the United States government that part of its defense budget should go to increasing cyber security! We already know the DoD uses Linux and wants more. Just think what a very tiny fraction of the US Defense budget could do for security in Linux and its subsequent adoption for corporations!

And for those of you that argue the enemy will then use Linux: who cares? Bullet proof protection on both sides would prevent any attempt of an offensive from ever sparking a war. In light of recent economic ups and downs, I would argue at this point it's more important to make the corporations feel 100% safe and secure -- unlike Google in China.

Always remember this in a cyber war

[Tetsujin]

If you're captured by the enemy, there are just three pieces of information you are compelled to divulge: Age, Sex, and Location.

A comment in The Atlantic on cluelessness

[Animats]

I wrote this to The Atlantic, which is a "think piece" magazine read by some decision makers in Washington.

After seeing that show, I was struck by the cluelessness of the panelists. I don't expect them to understand how networks really work, but they didn't even understand the organizations involved. Key organizations in a crisis like that would be the North American Network Operators Group and the North American Electric Reliability Council, along with the US Computer Emergency Response Team. The participants didn't know that, and they didn't have staffers to tell them.

The panelists were obsessing over whether they had enough authority to do something, while totally lacking any idea of what to do.

There are a few reasonable steps they could have taken at their level.

• First, after a physical attack on electric power facilities, get troops guarding key substations. The NERC would know where those are, and there should be a plan in place to do that.
• Second, faced with an massive attack via "smart phones", ask network operators to temporarily disable 4G and 3G services while keeping voice up. That would cut traffic 90% and stop further infections. Cellular voice service would probably come back up.
• Third, ask ISPs to temporarily block all HTML/MIME email, while allowing text email. That would stop most attacks against PCs and virus transmission. Yes, the FCC lacks the authority to order this. But if CERT and NANOG simply asked network operators to do that in an emergency, 99% would do it.
• Fourth, activate the Emergency Broadcasting System, which uses AM radio, for a Presidential address. That will get through even if almost everything else is down.
• Fifth, get FEMA cranked up to provide emergency services in areas with power outages. That's where people are going to die. Everything else is an economic problem.

Having taken the initial steps, the next priority is bringing the electrical grid back up. If substations were damaged, it may be necessary to move some very large transformers around, and possibly to import them from other countries. Military assets (i.e. big transport aircraft) should be made available to help with that.

In parallel with this, the intelligence community and DoD can work on who's behind the attack. But that's not going to be dealt with in the first hours. Don't obsess on hitting back.

Re:A comment in The Atlantic on cluelessness

[Areyoukiddingme]

Yes, the real responders will be CERT and NANOG. I'd be willing to bet that some fair percentage of the people with their hands on the keyboards in NANOG would be able to fire up their HAM sets if the backbones got so totally overwhelmed that nothing could get through. I KNOW they don't care if their fucking cell phones don't work. They have desks with three screens and a keyboard and a hardwired phone on them. What happens to their daughters' iPhones in no way interferes with their jobs.

But I have a hard time imagining any purely digital situation that would take down the backbones. Script kiddies have been running DDOS botnets for a decade now. The backbones have seen it all, done it all, and when you get right down to it, the trans-Atlantic and trans-Pacific links aren't big enough to saturate the continental backbone. We have a LOT more fiber in the ground than we do underwater.

The only situation that could take down the backbone is an extended, multi-state power outage, and guess what: we've been there and done that. The northeast power outage was our worst case scenario made manifest. Those of us in the Midwest knew about it, but barely even noticed it in our day to day lives. Our grid stayed up, our phones still worked, and business went on as usual for most of us. Those who needed to talk to eastern seaboard customers/employers/whatever had a quiet few days, that's all.

Sure, it looked like the participants were clueless. And I know the old saw about never attributing to malice what can be explained by incompetence. But I've seen the names of the participants, and I know for an absolute fact that malignance is one of their primary motivations. They seek power, at all costs, and they will do anything to get it, including lie, cheat, steal, and manipulate anything and everything they can affect. I think they do have the staffers who can tell them about NANOG and CERT and NERC and they don't like the fact that those organizations exist without their explicit control over everything they do.

They want the authority, in law, to order NANOG around, on any pretext. They want the authority, in law, to disband CERT if they feel like it. They want to exert the full force of the US Government to make all these 'maverick' network operators stand and salute when they say so, or lose their jobs. They've heard how the Internet views censorship as damage and routes around it and they want control of the people who control the routers. They want the power and they want the money, and they're going to do their damndest to stampede their herd of useful idiots into giving it all to them. They are sociopaths and psychotics and we can only hope they die of old age before the country falls headlong into a French Revolution of purges, pogroms, and random bloodletting.

Re:Why is infrastructure connected?

[vlm]

Why are things like power plants, banks, or telcos directly connected to the internet? You'd think they could afford a completely separate network.

A short summary of the problem:

Obviously no one manipulates the reactor control rods over the internet, outsourced to India. Although there is probably an intense desire by the MBAs to do so. Obviously the marketing guys have their PR website on the internet.

The problem is the devices in between. At a past employer, they had a customer whom had to cancel aircraft flights when their net access was down. They had to submit some form or list to the FAA or DHS or big brother or whatever for each flight, and they had a backup plan to submit the info over telephones/cellphones, but not the personnel to handle the load of all flights on backup, so the least essential flight would be canceled. Sales gave them an elaborate SLA.

That is how you shut down a nuclear plant using the internet. They can't email incident reports to the N.R.C., so they have to shut down for "safeties sake". Its not that its technically dangerous, but intentionally operating without N.R.C. oversight might be a $10M/hour fine, so they aren't gonna do it. Or maybe the plant guards won't get paid unless their internet accessible timeclock application works, they won't work for free, and the plant is not allowed to work without guards. Or the VOIP customer service in India is inaccessible and for safety reasons you can't supply power with no way to learn of lines down in the street and/or dispatch the service techs, so off goes the power to the city. To save money, city water SCADA system is now on the internet instead of a private net, and when the inet goes down, no water, no water means the plant shuts off. Thats how you use the internet to shut off a nuclear power plant, not some B.S. about remotely adjusting the control rods and turning pumps on and off.

What was almost certainly not discussed during the govt simulation was the need to remove useless regulations, because that gets the proletariat wondering if those regulations are really required under normal circumstances...

A cyberwar will be used as a lead up to an attack

A "Cyberwar" will be used as part of a campaign for a larger objective. When (not if) China chooses to "annex" Taiwan, the attack would likely go as follows:

US power plants go down because of SCADA systems attached available to anyone who finds them. Other embedded systems will get torn apart, from HVAC systems to traffic light control, paralyzing cities. This will happen all at once, both on CONUS, but on ports the US uses abroad, and in Taiwan as well. As a farewell gift, routers and such are zapped of all configuration to make it harder to reconnect and get infrastructure working, especially core wireless items, such as the infrastructure between towers. Even worse, most companies and organizations have no backup infrastructure in place so a simple dd if=/dev/zero of=/dev/sda will cause permanent data loss. Or random corruption is done to archive records, making them unusable for criminal or civil proceedings down the line.

By the time the mess is cleaned up (and with embedded systems, there *will* be physical damage, such as safety valves jammed shut, causing BLEVEs), the Red Guard will have firmly garrisoned the island nation and will be telling the US that an attack there will result in a nuclear exchange.

Another possibility will be an attack against the Falkland Islands by Argentina. As of recently, that nation has been wanting to take British oil interests in the area, even trying to attack oil rigs. One can expect the UK to be hit by a coordinated attack on critical systems, as well as its allies. Then the next thing would be Argentina with help from Chavez (who is in dire need of a military victory against Europe and the US to bolster his credibility) will be invading the Falkland Islands. No, the islands may not be a major strategic issue, but they have a lot of oil underneath, and would love to attack the UK's oil interests and turn the oil derricks into torches.

Of course, there is Russia. America's grid goes down, and Russia pushes into Western interests without a shot being fired. Since most of Europe went "green" and ditched their national security for reliance on Russian gas, expect no help from France or Germany, as neither country wants its population to freeze to death, and both countries like their cities to have their lights on. It wouldn't even take a cyberattack to make Europe kowtow to Russia... just the threat of turning off the natural gas pipes.

Of course, the Middle East comes to mind. The one oil pipeline that Russia hasn't seized yet that goes through Georgia. Georgian computers go down, American grid suffers, Russian tanks plow into Georgia proper calling it a police action, depose the government and set up a puppet system. Combine that with a military action to grab control of the Persian Gulf, and Russia now has complete control of Europe's and America's oil supplies. Game. Point. Match. Checkmate.

The problem? A good number of American companies don't give a shit about security. Since security has no ROI, little but lip service is paid in that direction. They expect that they can hire an army of consultants to repair any breach 24/7, so don't do anything except put some random policies in place. Of course, come a military strike against American interests, these companies will be having their systems used as staging points and proxies to make it virtually impossible to find out who disabled a cooling system at a nuke plant, causing a SCRAM across all reactors and plunging the grid into a blackout.

When a "cyber attack" that is worth the name happens, the lights will go off, then the ships will sail into some country's harbor, and the troops will be moving in. It won't be done just for giggles by some foreign nation, it will be done in concert with another brutal offensive.