Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Most Vulnerable To Cyberattack?

Posted by CmdrTaco on from the also-most-vulnerable-to-american-idols dept.

alphadogg writes "Several nations, most prominently Russia, the People's Republic of China and North Korea, are already assembling cyber armies and attack weapons that could be used to attack other nations. Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack. Here's what ex-presidential adviser Richard Clarke, who is releasing a new book called Cyber War, and others are saying needs to be done to keep cyberwars from escalating into full-scale combat."

24 of 118 comments (clear)

  1. FUnny how there's no eviDence... by calibre-not-output · · Score: 3, Insightful

    ...to back any of this up.

    --
    Nothing lasts forever but the certainty of change.
    1. Re:FUnny how there's no eviDence... by calibre-not-output · · Score: 3, Insightful

      I personally think that allowing full disclosure of security problem would greatly help that but what do I know...

      About as much as me, I'd assume.

      The obvious staring-you-in-the-face difference between this and 9/11 is that this book is flinging accusations at specific parties - all of them major world governments - without any evidence. It's very different from saying "a group of cyberterrorists is in principle capable of hijacking our servers and messing with our communications", and more like saying "Iraq has WMD, let's fuck their shit up" - also without evidence.

      --
      Nothing lasts forever but the certainty of change.
    2. Re:FUnny how there's no eviDence... by Seanface · · Score: 4, Informative

      That's an awfully broad statement. There's evidence, though it's mostly based on circumstance. I don't think I need to be linking articles about the China Cyber Attack stuff, or North Korea, as that's all fresh.

      But I'm happy to offer other links from the recent and not so recent past that are relevant.

      Somewhat recent -

      Russian Cyber Attacks on Georgia
      http://blogs.zdnet.com/security/?p=1670

      PowerGrid Vulnerability of the US
      http://www.time.com/time/nation/article/0,8599,1891562,00.html

      In a Galaxy Far Far Away... 1998, a brief description of L0pht testifying before congress.Excerpt included.
      http://hsgac.senate.gov/l0pht.htm

      ""We have become so dependent on communications links and electronic microprocessors that a determined adversary or terrorist could shut down federal operations or damage the economy simply by hacking into our computers. The two General Accounting office reports which will be released at our hearing--one on the State Department and one on the Federal Aviation Administration- -raise serious concerns about the risks to the public because of information security weaknesses.""

    3. Re:FUnny how there's no eviDence... by hedwards · · Score: 3, Insightful

      That's not analogous at all. We know, and have known for some time, that a huge number of attacks come out of China and Russia. While we don't specifically know that the Russian or Chinese government is sponsoring it, we do know pretty reliably that they don't seem to care about it as long as the crimes are being addressed over seas. That's completely different than the claim that the Iraqi government owned and controlled weapons of mass destruction something which was never substantiated following the formal dismantling of those after the first gulf war.

      At the end of the day, the argument you make is disturbingly similar to: because Neo-Nazis just post the details of people they want assassinated that they aren't themselves responsible, when it's almost certain that given and address and a motive somebody will follow through.

      And no, I'm not being as extreme with the examples as it might appear, there's any number of electronic devices which could cause that level of trouble. Ever imagine what would happen if somebody were to screw with the communications infrastructure? It's not that hard to believe that people could die as a result. Especially if done in conjunction with a suspected terrorist attack.

    4. Re:FUnny how there's no eviDence... by calibre-not-output · · Score: 2, Interesting

      That's not analogous at all. (...) At the end of the day, the argument you make is disturbingly similar to: because Neo-Nazis just post the details of people they want assassinated that they aren't themselves responsible, when it's almost certain that given and address and a motive somebody will follow through

      Please, do point out to me where I said that it was analogous. What I did say is that

      It's very different from saying "a group of cyberterrorists is in principle capable of hijacking our servers and messing with our communications", and more like saying "Iraq has WMD, let's fuck their shit up" - also without evidence.

      which is very different from your Neo-Nazi analogy. By the way, how is that different from when the police or news outlets divulge photos and information on wanted criminals? someone might decide to hunt them down and do justice with their own hands as well. Or is the fact that the known criminals happen to be missing somehow a merit of the people who are setting the hounds on them?

      Your example is extreme, and it is not even close to the point. A government cannot be blamed for the isolated actions of a minority group of citizens, so it is very relevant whether they authorities sponsored the attacks or not. And as long as Russian property or the rights of Russian citizens are not being harmed, the Russian government has no civic obligation to stop these attacks, unless it is a part of an international treaty that says otherwise.

      --
      Nothing lasts forever but the certainty of change.
  2. ATC by Shakrai · · Score: 2, Insightful

    Pray tell, why should a system such as Air Traffic Control even be accessible on a public network such as the internet? To the best of my knowledge air traffic controllers aren't allowed to telecommute. Why aren't networks such as this hardened and kept off public networks?

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
    1. Re:ATC by Jazz-Masta · · Score: 2, Funny

      Pray tell, why should a system such as Air Traffic Control even be accessible on a public network such as the internet? To the best of my knowledge air traffic controllers aren't allowed to telecommute. Why aren't networks such as this hardened and kept off public networks?

      How else are the Air Traffic Controllers going to get their fix of cute kittens?

    2. Re:ATC by jittles · · Score: 2, Insightful

      probably so you can do things like In-flight tracking and other handy things. Now that doesn't mean they can't design their network in such a way to make it so such attacks on the actual air traffic system are impossible.

  3. second post by slick7 · · Score: 3, Insightful

    As long as the US outsources IT, it is to be expected that there will be those that will challenge our preeminence in any field related to IT.

    --
    The mind conceives, the body achieves, the spirit manifests.
    1. Re:second post by Maxo-Texas · · Score: 2, Informative

      Nope.

      At my company, a large indian offshoring company has taken over about 80% of the top technical jobs.

      And of our remaining programmers, at least 90% are not allowed to code any more- only design. out of a 200 person staff that coded for 10 to 20 years, less than 20 code.

      I coded until 2007. Used to be pretty good too. Probably would take me 90 days to come back up to speed even with just installing the tools (and that's assuming I could get to the tools over a battle damaged internet).

      --
      She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  4. Clarke's Been Playing This Violin for Years by Jeremiah+Cornelius · · Score: 3, Interesting

    Same damn tune.

    I'm in InfoSec - vulnerability assessment and remediation. I used to see him speak in the Clinton years, when he'd toot the f-ing horn, how he had Big Bill's ear about this. After 911 he went on a book and lecture circuit.

    Bullshit then, and now.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Clarke's Been Playing This Violin for Years by WindowlessView · · Score: 2, Informative

      > I used to see him speak in the Clinton years

      As I recall he was one of the few people who was trying to warn about the rise of AQ. Given the outcome, I don't see how this should be construed to be a negative.

      --
      Leave the gun, take the cannolis.
    2. Re:Clarke's Been Playing This Violin for Years by BobMcD · · Score: 2, Insightful

      Really??? Oh, now THAT is interesting.

      Descend with me for a moment into conspirator territory:

      1) Assume for a moment that 'terrorism' was mostly just a rip-and-replace of the old enemy, 'communism'. And I could discuss this at length if desired, but bear in mind, at a minimum, that Osama being a terrorist was not only okay during the 80's, but he was terrorizing using our own tax dollars. Terrorism isn't new, by any means, and it has only recently become intolerable. Anyway, assume 's/communism/terrorism/g'..

      2) Assume then that someone needs to be Cassandra about this topic. They raise the early alarm bells against deaf ears, all the while lessening the resistance against more reasonable voices.

      Given the possibility that "1" and "2" are true, would it likewise indicate that there really is an agenda to get 'Cyber War' to be the next new enemy? This gentlemen would be tapped to do what he did so well last time around, but for this topic instead.

  5. Bill Gates is the "Manchurian Candidate"? by peter303 · · Score: 5, Insightful

    His OS is used 90% of US computers, including military ones. And it security holes you could sail an aircraft carrier through.
    MicroSoft has been more diligent about security lately. But the damage has already been done.

    1. Re:Bill Gates is the "Manchurian Candidate"? by calibre-not-output · · Score: 2, Insightful

      I'm as anti-Microsoft as you can get without stepping into fanboy territory, but any system that had such a wide deployment would be more sought after by malicious programmers, and would thus have more actively exploited security flaws. Blame MS for default settings being too loose on security, but don't blame them for being under heavy fire all the time.

      --
      Nothing lasts forever but the certainty of change.
  6. First people have to care about real security... by kbonin · · Score: 4, Interesting

    As nearly anyone working on the "front lines" of security will tell you, most companies don't really care about security past some low level of lip service. Corporate networks [nearly] always have firewalls, but most of the time the IT staff is paid to care more about restricting employees from 'wasting company time' than in managing advanced multi-level defenses (why most networks are 'crunch on the outside, soft and chewy on the inside.') Equipment and software vendors provide password level security, often with authentication integration into LDAP/AD, but rarely support real tokens or PKI's backed by an HSM, as most companies don't want to pay for a real HSM (and with post dot bomb price escalation, that's often understandable - $40k for a 1U server with layered tamper switches and a custom app?) CSO's are treated as a cost center along with the rest of IT, and its often the policy to force people to keep quiet when major breaches occur. Its simpler and cheaper to make sure the board and stockholders don't know how often the databases and repositories are exported to FTP sites in China than to actually make it really difficult to succeed, as real security often costs real money. There's a whole underground industry of targeted penetration, as ethics and patriotism fall to greed - the underlying problems are far deeper than basic "cybersecurity".

  7. Re:First people have to care about real security.. by godrik · · Score: 2, Funny

    well I requested an access to a machine where the procedure to get access are crazy (as in checking you are not a known terorist and making notarized declarations). When I had a problem login onto the machine, I sent a uncrypted/unsigned email to help@service and the admin replied by giving me a password in clear...

  8. Groan, cold war paranoia by petes_PoV · · Score: 2, Insightful
    I suppose this counts as a firewall gap, or a software gap. In fact it's probably just a load of sabre-rattling and FUD put about by the interseted parties to get a little more pork from an easy target, rather than having to go out there and sell products that normal people want, in the real world.

    Or it could just be good old fashioned xenophobia

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  9. Re:What's with all this "Cyber"? by Trepidity · · Score: 2, Interesting

    Indeed, that prefix really makes no sense. To quote Ted Nelson:

    "Cyber-" is from the Greek root for "steersman" (kybernetikos). Norbert Wiener coined the term "cybernetics" for anything which used feedback to correct things, in the way that you continually steer to left or right to correct the direction of a bicycle or a car. So "cybernetics" really refers to control linkages, the way things are connected to control things.

    Because he was writing in the nineteen-forties, and all of this was new, Wiener believed that computers would be principally used for control linkages-- which is if course one area of their use.

    But the term "cybernetics" has caused hopeless confusion, as it was used by the uninformed to refer to every area of computers. And people would coin silly words beginning with "cyber-" to expand ideas they did not understand. Words like "cyberware", "cyberculture", "cyberlife" hardly mean anything. In general, then, words beginning with "cyber-" mean "either I do not know what I am talking about, or I am trying to fool and confuse you" (as in my suggested cybercrud).

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  10. "Cyber" is propaganda? by Hideo+Kuze · · Score: 2, Informative

    I don't know if any one saw this or takes Wired seriously for that matter, but here is an "article" about cyberwar attacks being an urban legend. There was an article on Wired a while ago about the same thing, it also brings up the idea that using the word "Cyber" is a very negative prefix for an internet based situation usually before an equally negative word like terrorism or war http://www.wired.com/threatlevel/2010/03/urban-legend/ Have at it.

  11. Use a data diode by ka9dgx · · Score: 2, Interesting

    They could use a data diode to make a read-only copy of the flight tracking information available to all, with zero risk to the air traffic control network. These devices are in use by goverments to protect really secret stuff... so they should work for this as well.

  12. Feed the Military-Industrial Complex by MarkvW · · Score: 2

    This is just lobbying for a powerful special interest group that wants lots of tax money.

    The US is deployed in two nations at extreme cost. People ignore the brutal financial hit these military interventions are making. We're acting like an enraged bull. Our enemies win when they make us exhaust ourself. The military industrial complex is blind to this issue. They are a hammer that sees problems as nails--and they are self interested. The contractors are in it for the money. The military is focused on "defense." There is nothing wrong with either position--but we must DIRECT them--not let them direct us.

  13. The Most? by andrea.sartori · · Score: 2, Interesting

    Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control,

    Given that every country in the whole world is dependent on the same technology for literally everything --down to irrigation control in agriculture in some cases-- it doesn't seem to me like the USA are automatically the "most" vulnerable country.

    Alright, the US has been the host of the most part of the internet for years. It's been the main, or one of the main, repositories of technology worldwide, for years. And yes, it's been the place where the most renowned cybercrimes were perpetrated... for years. But then, and for the same exact reasons, it's one of the places where security has been taken seriously the earlier... (right?)

    Oh, was it just a book presentation? Written by a former government advisor? Nevermind.

    --
    Mostly harmless.
  14. Oblig Star Trek link by Curate · · Score: 2, Interesting
    keep cyberwars from escalating into full-scale combat

    A noble goal. Forget trying to prevent cyberwars, but definitely contain them so that there is no actual physical combat. That way there are no real casualties, right? Somehow this instantly reminded me of the Star Trek episode "A Taste of Armageddon" (http://memory-alpha.org/en/index.php/A_Taste_of_Armageddon_%28episode%29) where two societies wage war using computer simulation, but with real human casualties. Star Trek really was ahead of its time on so many levels.