Separating Cyber-Warfare Fact From Fantasy

smellsofbikes writes "This week's New Yorker magazine has an investigative essay by Seymour Hersh about the US and its part in cyber-warfare that makes for interesting reading. Hersh talks about the financial incentives behind many of the people currently pushing for increased US spending on supposed solutions to network vulnerabilities and the fine and largely ignored distinction between espionage and warfare. Two quotes in particular stood out: one interviewee said, 'Current Chinese officials have told me that [they're] not going to attack Wall street, because [they] basically own it,' and Whitfield Diffie, on encryption, 'I'm not convinced that lack of encryption is the primary problem [of vulnerability to network attack]. The problem with the Internet is that it's meant for communication among non-friends.' The article also has some interesting details on the Chinese disassembly and reverse-engineering of a Lockheed P-3 Orion filled with espionage and eavesdropping hardware that was forced to land in China after a midair collision."

How to deal with network security?

[HungryHobo]

Audit your code.
Don't try to tac security on at the end, build it in from the start.
Don't assume that the other security layers will hold so yours isn't important.(when i was working in a large tech company this was the most common problem, everyone thought the security above or bellow their own applications or systems was secure enough that they didn't have to worry too much about it themselves)
Make sure your coders know enough about the various types of attack that they know what they've got to defend against.

use Default Deny not Default Permit.
don't try to Enumerate Badness. it doesn't work.
Don't rely on Penetrate and Patch . it works badly.
Don't expect average users to get educated about security, they only care about security enough to not get fired, they will also pick awful passwords 99% of the time and will use Pass1234 if asked for uppercase,lowercase and numbers.
patch your systems.

Fire anyone who writes the domain admin password on a postit and sticks it to their monitor.

Re:Warfare?

[HungryHobo]

China is just the current bogeyman.
there's no shortage of attacks from hackers anywhere, but I'm told china used to be a good place to bounce attacks through and there probably is a certain amount of corporate espionage.

Re:Warfare?

[advocate_one]

Not to sound like my tinfoil hat has gotten too tight, but really is this warfare? So our grid goes down. Does this mean we can't live?

You've already had examples of how things break down when the power goes out during the previous major blackouts... imagine it being nationwide and more than 48 hours in duration... you cannot cope with that... people WILL be fighting for food and water...

There were fights in supermarkets in Gloucestershire over bread and water when the floods hit in 2007...

They were minutes away from having to order the evacuation of most of the county if the flood defences had failed to protect the major electricity substation supplying a large part of the county including the city of Gloucester... the main water treatment plant was taken out by the floods and we were having to use water trucked in and distributed via water bowsers for several weeks until the plant was repaired and the water mains had been flushed out and treated

Re:Warfare?

[chrb]

The article quotes Richard Clarke on a hypothetical Chinese cyber attack:

Within a quarter of an hour, 157 major metropolitan areas have been thrown into knots by a nationwide power blackout hitting during rush hour. Poison gas clouds are wafting toward Wilmington and Houston. Refineries are burning up oil supplies in several cities. Subways have crashed in New York, Oakland, Washington, and Los Angeles. . . . Aircraft are literally falling out of the sky as a result of midair collisions across the country. . . . Several thousand Americans have already died.

Firstly, China isn't going to attack the U.S. - going to war with one of your largest trading partners and a nuclear armed state would be stupid. But if China were to wage war on the U.S. then the deaths of a few thousand people and the associated chaos would be chickenfeed compared to the effects of nukes raining down on American cities. I wonder whether this kind of alarmism is meant purely to scare people into accepting increased defence spending, or whether the people at the top honestly believe what they are saying?

Re:Ya well I'm going to have to file that as fanta

[grcumb]

I didn't read the whole thing but the first 10 paragraphs or so strike me as nothing but a bunch of half-informed fear mongering from a journalist who doesn't know what they are talking about.

If you only read the first 10 paragraphs, then you haven't done the article justice. Hersh is renowned for his long-form journalism. It's old-school, I know, but he takes his time to investigate and analyse. He doesn't foist his conclusions on the reader; he presents his take on the available information and leaves the reader to think it through.

I'll be the first to admit that he's more patient -and more deliberately objective- than most of us. In fact, that's exactly what I wrote about him earlier today.

This is the same guy who broke the story of the My Lai Massacre as well as many of the most important stories about the American military over the last few decades. His sources are impeccable, and his research is world class. Do yourself a favour: load the page onto your favourite e-book reader and take the time to follow his argument all the way to the end.

Re:Warfare?

[grcumb]

I wonder whether this kind of alarmism is meant purely to scare people into accepting increased defence spending, or whether the people at the top honestly believe what they are saying?

If you read TFA all the way through, Hersh is clearly making the case that the entire body of 'cyberwar' rhetoric is little more than a power (and budget) grab. One of the more interesting quotes comes from a security analyst who says most of the electronic espionage we see these days comes from allied countries, and it's mostly economic in nature.

"Warfare" falls under the Geneva Convention

[lkcl]

several months back, a very frustrated U.S. General said that it would be a good idea to respond with conventional military strikes in response to cyber "warfare". the problem with that, and the problem with using the word "warfare" at all, is that "warfare" falls under the international treaties that make up the geneva convention.

to spell it out: should someone make a physically violent attack on a citizen of another country who did nothing more than accept an open invitation to manipulate infrastructure which should never have been open in the first place, then all citizens of that country have the right - THE RIGHT - to respond with physical violence against ALL the attacking country's citizens, and against ALL assets and territories of the attacking country.

put simply: no matter what the "excuse", if you attack one country's citizens, you have declared war on that country, and they can LEGITIMATELY attack back.

this is the definition of war.

so it is very, very stupid to link the two words "cyber" and "war" in the same sentence.

regarding the espionage issue and the infrastructure issue: it's very very simple. the best way to protect assets is not to connect them to the outside world! sometimes i have difficulty understanding why this is not understood. it's very simple: pull out the plug! to fail to take this simple precaution is to INVITE attack, and the consequences have to be accepted!

but yes: the "ownership" issue is very telling. america and europe's reliance on cheap chinese products basically places them entirely into china's debt. they really aren't kidding when they say "we own you" - why do you think the U.S. is devaluing its currency so rapidly! they're playing exactly the same trick that Hitler's government played on its war reparations of the first world war. ... we live in interesting times, boys and girls...

Re:"Warfare" falls under the Geneva Convention

[ledow]

Since when has the US cared about the Geneva Convention? There are more than one Geneva Convention, for a start, and the US never ratified two of those. Those it did, it regularly breaches - you have things like Guantanamo Bay which is still operational and where sleight of hand is used to endorse various forms of torture against people because it's unclear if they are prisoners of war or not.

The US has to decide - either it's at war, and thus the prisoners it holds have the rights of prisoners of war (and, come on, just show some god-damn humanity too), or it's not in which case why is it bombing another country including its civilians? And if that country attacks back, surely that's just an act of war too and nothing that can be condemned? Listen carefully - they have a "war on terror" and even that phrasing has been phased out. You can't be "at war" with a concept rather than a particular country. And if you are "at war" with someone then pretty much any act they perform against your military and (if the US is playing the same game) your citizens is fair game.

The US has much, much bigger problems to worry about that a few hackers, and should be disgusted with itself. Land of the free? Only if you're not foreign-looking, only within the bounds of the US borders (so we'll take you to a foreign country where you don't have those rights), only if you can prove you've never done anything wrong despite never being given a trial. Home of the brave? How much courage does it take to beat, torture and humiliate a captured prisoner? The US doesn't care and even claims that things like an American "Internet kill-switch" would be at all useful in an *international* network - sever routes to the US (just in case their "kill switch" means active attacks against peers) and everyone else carries on as normal. All it could/world ever do is censor the US population.

To be honest, if the US military *is* seriously worried about such things as cyber-warfare over the Internet, then they really don't know how to design a military system.

And now fantasy

[sakdoctor]

Security is best outsourced entirely to a company with a metal effect logo and lots of padlocks on their website.
The most important aspect of security is the visualisation shown to the end user.
All workstations should be protected by at least a green spinning cube.
Voice recognition or hand print scanners are the way forward.
Light your server room from above very slow spinning fan blades.
Factor in around one henchman in black, per 100 servers.
Have web access to all critical systems. input[type="password"]{ font-size:1000%; }
Have a physical self-destruct (as in a bomb), to destroy all your unencrypted data, if you simply get overwhelmed by Russian hackers in quasi-futuristic clothing.

Re:Warfare?

[mcgrew]

Wow. I thought the US was supposed to be "cowboy country" and so violent. When Two tornados tore through my town the power was out citywide overnight, and took a week to get back online in many neighborhoods (including mine). Nobody rioted, despite stores being closed for several days (and many stores for a month, as the buildings were badly damaged). I ran out of cat food, one open store that was without electricity was using an old-fashioned credit card reader that relied on carbon paper.

Hell, as chronicled in the linked journal, damaged bars were open the next day, with folks drinking by candle light.

They didn't even riot during Katrina.