Measuring China's Cyberwar Threat

An anonymous reader writes with this excerpt from Network World: "A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold — and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army to sow deadly disruptions in the U.S. military logistics supply chain. As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."

Re:How much damage can be done sustainably?

[girlintraining]

But what happens after a month when those computers have their OS reinstalled - with Linux or a commercial UNIX, or even, zOS if need be, and the data you've deleted has been restored from backup CDs

Most businesses don't have disaster recovery plans. And those that do, like mine, haven't given much thought to the timetable on a full restore of all IT resources from nothingness. The one I'm working for right now has a 4 year plan for rolling out Windows 7 that started last month. In other words, they started the rollout late, and they'll be deploying outdated tech well past the point when the next version comes out. This just loading the operating system... consider all the other IT resources that would need to be rebuilt.

On to data backup and restore functionality: All the backups are stored on NAS devices that are always connected. There is no offline backup. They don't use tapes, optical media, or any of that jazz. And most of those backups are located on-site, adding insult to injury. It's taking them 4 years to roll out an operating system remotely, the process is largely manual, riddled with errors, and each system requires, on average, 3 hours of support resources to complete the upgrade.

Without getting into details, this is a Fortune 100 company, and because of the nature of its business is required by law to have stringent backup policies as well as data protection. The state of the art encryption and data protections can all be catastrophically bypassed by design using a 4 digit PIN. the 4 digit pin... is the last 4 digits of the user's SSN. The first and last name, as well as geolocation information, is in active directory, which even the 'guest' account can access. Every person who works support, from phone to desktop, network to deployment, as local admin rights to every workstation in the company. Do the math. Then cry.

This... is typical for most large businesses.

Oh, please ...

[cdrguru]

Has anyone in the US Military stopped to notice what critical supplies are manufactured solely in China today? I do not mean just armaments, but stuff that the US military would be utterly unable to move without. Stuff like light bulbs. Fuel filters. Glass containers.
Simple little things that the last US manufacturer closed down for either recently or as far back as 1980.

Do we still make toilet paper in the US? I suspect there may only be one factory that does and it will probably close down soon. It is much cheaper to have it made over there and shipped here.

We cannot possibly win a conflict with China - they would cut off our supply of manufactured items and the military would just grind to a halt.

Sure, they could probably shut down a couple of factories making classified munitions, but who cares? They figured out that troops don't fight without toilet paper in WW I and trust me, it hasn't gotten any better. They cut off our supply of toilet paper and the US population would storm Washington and demand an end to the conflict immediately. I am not kidding here.

Re:Military using the public Internet?!?

[Daniel+Dvorkin]

One the things TFA mentions is how many of the targets wouldn't actually be military, but rather civilian contractors which the military needs to run day-to-day operations. This isn't a computer security problem, it's a cultural problem. The contracting / privatization craze has hit the military in a big way. I know this will sound like old-soldier grumbling, but when I was in (late 80s to mid 90s) we didn't have this problem, much. We had plenty of civilian contractors around, sure, but combat-critical logistics and maintenance functions were handled by people in uniform. Now we have a situation where units engaged in active combat can't function unless civilians who are not under oath and are not trained for the situation (and who are often paid much, much more than soldiers used to be to perform the same jobs; the "privatization saves money" argument is complete bullshit) decide to show up for work that day. The military needs to be able to handle its own operations in a war zone, and right now, it can't do that.