Separating Cyber-Warfare Fact From Fantasy

smellsofbikes writes "This week's New Yorker magazine has an investigative essay by Seymour Hersh about the US and its part in cyber-warfare that makes for interesting reading. Hersh talks about the financial incentives behind many of the people currently pushing for increased US spending on supposed solutions to network vulnerabilities and the fine and largely ignored distinction between espionage and warfare. Two quotes in particular stood out: one interviewee said, 'Current Chinese officials have told me that [they're] not going to attack Wall street, because [they] basically own it,' and Whitfield Diffie, on encryption, 'I'm not convinced that lack of encryption is the primary problem [of vulnerability to network attack]. The problem with the Internet is that it's meant for communication among non-friends.' The article also has some interesting details on the Chinese disassembly and reverse-engineering of a Lockheed P-3 Orion filled with espionage and eavesdropping hardware that was forced to land in China after a midair collision."

How to deal with network security?

[HungryHobo]

Audit your code.
Don't try to tac security on at the end, build it in from the start.
Don't assume that the other security layers will hold so yours isn't important.(when i was working in a large tech company this was the most common problem, everyone thought the security above or bellow their own applications or systems was secure enough that they didn't have to worry too much about it themselves)
Make sure your coders know enough about the various types of attack that they know what they've got to defend against.

use Default Deny not Default Permit.
don't try to Enumerate Badness. it doesn't work.
Don't rely on Penetrate and Patch . it works badly.
Don't expect average users to get educated about security, they only care about security enough to not get fired, they will also pick awful passwords 99% of the time and will use Pass1234 if asked for uppercase,lowercase and numbers.
patch your systems.

Fire anyone who writes the domain admin password on a postit and sticks it to their monitor.

Re:Warfare?

[HungryHobo]

China is just the current bogeyman.
there's no shortage of attacks from hackers anywhere, but I'm told china used to be a good place to bounce attacks through and there probably is a certain amount of corporate espionage.

Re:Warfare?

[chrb]

The article quotes Richard Clarke on a hypothetical Chinese cyber attack:

Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. . . . Aircraft are literally falling out of the sky as a result of midair collisions across the country. . . . Several thousand Americans have already died.

Firstly, China isn't going to attack the U.S. - going to war with one of your largest trading partners and a nuclear armed state would be stupid. But if China were to wage war on the U.S. then the deaths of a few thousand people and the associated chaos would be chickenfeed compared to the effects of nukes raining down on American cities. I wonder whether this kind of alarmism is meant purely to scare people into accepting increased defence spending, or whether the people at the top honestly believe what they are saying?

"Warfare" falls under the Geneva Convention

[lkcl]

several months back, a very frustrated U.S. General said that it would be a good idea to respond with conventional military strikes in response to cyber "warfare". the problem with that, and the problem with using the word "warfare" at all, is that "warfare" falls under the international treaties that make up the geneva convention.

to spell it out: should someone make a physically violent attack on a citizen of another country who did nothing more than accept an open invitation to manipulate infrastructure which should never have been open in the first place, then all citizens of that country have the right - THE RIGHT - to respond with physical violence against ALL the attacking country's citizens, and against ALL assets and territories of the attacking country.

put simply: no matter what the "excuse", if you attack one country's citizens, you have declared war on that country, and they can LEGITIMATELY attack back.

this is the definition of war.

so it is very, very stupid to link the two words "cyber" and "war" in the same sentence.

regarding the espionage issue and the infrastructure issue: it's very very simple. the best way to protect assets is not to connect them to the outside world! sometimes i have difficulty understanding why this is not understood. it's very simple: pull out the plug! to fail to take this simple precaution is to INVITE attack, and the consequences have to be accepted!

but yes: the "ownership" issue is very telling. america and europe's reliance on cheap chinese products basically places them entirely into china's debt. they really aren't kidding when they say "we own you" - why do you think the U.S. is devaluing its currency so rapidly! they're playing exactly the same trick that Hitler's government played on its war reparations of the first world war. ... we live in interesting times, boys and girls...

Re:"Warfare" falls under the Geneva Convention

[ledow]

Since when has the US cared about the Geneva Convention? There are more than one Geneva Convention, for a start, and the US never ratified two of those. Those it did, it regularly breaches - you have things like Guantanamo Bay which is still operational and where sleight of hand is used to endorse various forms of torture against people because it's unclear if they are prisoners of war or not.

The US has to decide - either it's at war, and thus the prisoners it holds have the rights of prisoners of war (and, come on, just show some god-damn humanity too), or it's not in which case why is it bombing another country including its civilians? And if that country attacks back, surely that's just an act of war too and nothing that can be condemned? Listen carefully - they have a "war on terror" and even that phrasing has been phased out. You can't be "at war" with a concept rather than a particular country. And if you are "at war" with someone then pretty much any act they perform against your military and (if the US is playing the same game) your citizens is fair game.

The US has much, much bigger problems to worry about that a few hackers, and should be disgusted with itself. Land of the free? Only if you're not foreign-looking, only within the bounds of the US borders (so we'll take you to a foreign country where you don't have those rights), only if you can prove you've never done anything wrong despite never being given a trial. Home of the brave? How much courage does it take to beat, torture and humiliate a captured prisoner? The US doesn't care and even claims that things like an American "Internet kill-switch" would be at all useful in an *international* network - sever routes to the US (just in case their "kill switch" means active attacks against peers) and everyone else carries on as normal. All it could/world ever do is censor the US population.

To be honest, if the US military *is* seriously worried about such things as cyber-warfare over the Internet, then they really don't know how to design a military system.

Long article is long

[divinewind]

The article itself is a very good read eh. (Which is probably why there are not that many comments here yet (RTA FTW). It focuses mostly on the war/espionage aspects and has very few mentions of privacy and such, downplaying it rather well. The interesting thing I learnt is that the NSA is pretty messed, [the article saying they] want security but they would rather know everything about everyone. In all, it's probably all hype eh. Sure there are implications of damage war can be brought, but as the article sometimes pointed out, it's hard to distinguish from economic spying and military espionage. In any case, the best thing that can happen (for me) is if America does decide to go ahead and give the NSA even more power they seek. When everyone is under the eye of bigbrother, there should be war. Which is fun eh. If there is no war, America would be a sucky place to live in. Canada would probably be bullied into doing the same thing, so my place would be messed too. Heh... but in all this, I find that I am really anxious for that to happen. I really want to forget everything, take out a few guns, and go out guns ablazing. Like that dude in V for Vendetta. Yarr.

Re:Warfare?

[mcgrew]

Wow. I thought the US was supposed to be "cowboy country" and so violent. When Two tornados tore through my town the power was out citywide overnight, and took a week to get back online in many neighborhoods (including mine). Nobody rioted, despite stores being closed for several days (and many stores for a month, as the buildings were badly damaged). I ran out of cat food, one open store that was without electricity was using an old-fashioned credit card reader that relied on carbon paper.

Hell, as chronicled in the linked journal, damaged bars were open the next day, with folks drinking by candle light.

They didn't even riot during Katrina.

I enjoy

[nimbius]

how all these articles focus mostly on China. If this were 45 years ago, you could replace china with soviet union, and cyber warfare with nuclear holocaust. In my opinion this just goes to show how generally targeted and short sighted most american foreign policy really is. There is always something new to fear, new to hate.

Re:Ya well I'm going to have to file that as fanta

[_Sprocket_]

Whoa. Wait a second. You mean we've been complaining all this time about shallow sound-bite and press-release "reporting" and then they slip in a REAL reporter? With an in-depth story? That requires... reading the whole thing?!