Slashdot Mirror

← Back to Stories (view on slashdot.org)

Measuring China's Cyberwar Threat

Posted by timothy on from the let's-trade-more-and-war-less dept.

An anonymous reader writes with this excerpt from Network World: "A lengthy report prepared for the U.S. government about China's high-tech buildup to prepare for cyberwar includes speculation about how a potential conflict with the U.S. would unfold — and how it might only take a few freelance Chinese civilian hackers working on behalf of China's People's Liberation Army to sow deadly disruptions in the U.S. military logistics supply chain. As told, if there's a conflict between the U.S. and China related to Taiwan, "Chinese offensive network operations targeting the U.S. logistics chain need not focus exclusively on U.S. assets, infrastructure or territory to create circumstances that could impede U.S. combat effectiveness," write the report's authors, Bryan Krekel, Patton Adams and George Bakos, all of whom are information security analysts with Northrop Grumman. The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."

18 of 79 comments (clear)

  1. Wanna cyber? by Anonymous Coward · · Score: 5, Insightful

    In computers and network security, every time someone uses 'cyber' in a serious, unironic manner, they lose credibility.

    TFA uses it 9 times.

  2. Ahh yes by Anonymous Coward · · Score: 5, Insightful

    Our newest 'threat' we need to throw money at to 'combat'.

    Instead of ohhhh... i dont know... not connecting important shit to the internet...

    What's it gonna be called.. Thats the big question. 'War on Cyber' Doesnt sound catchy enough.

    1. Re:Ahh yes by fuzzyfuzzyfungus · · Score: 3, Insightful

      The morbid entertainment value is at least doubled by the fact that the article is about the hypothetical 'chinaman haxxor!!!!!' threat to the American military supply chain, rather than the much less hypothetical 'a mixture of ill-advised outsourcing and blatant regulatory capture has gone a fair portion of the way toward ensuring that the phrase 'military supply chain' refers to the route by which public money makes its way into the coffers of contractors, rather than any mechanism actually designed to improve or maintain American military capability.

      With friends like Duke Cunningham and KBR, we don't need enemies...

  3. They missed one key tid bit... by bogaboga · · Score: 4, Insightful

    The report, "Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage," focuses primarily on facts about China's cyberwar planning but also speculates on what might happen in any cyberwar."

    This is what I would add:

    All speculation is geared toward ensuring that the report's authors
    or their agents are beneficiaries in any efforts the US government would take to "mitigate" any China factor(s).

  4. Re:Military using the public Internet?!? by daveschroeder · · Score: 5, Informative

    There are many different tasks and functions for which the military and government agencies use the public/commodity internet. There are also various levels of private networks for more sensitive requirements.

    None of that, however stops the NSA from operating under the assumption that its networks are compromised.

    Brookings just put out a great paper on a related topic, Cybersecurity and U.S.-China Relations (PDF). It's worth a read.

  5. How much damage can be done sustainably? by satuon · · Score: 3, Interesting

    I'm sceptical of how much damage 'cyberwar' can really do sustainably. I suspect it would be a bit like Pearl Harbor - you make enormous damage the first day with a surprise attack, but it goes downhill from there.

    I mean, I'm sure that the first day a lot of computers will go offline, and even factories will stop, etc. But what happens after a month when those computers have their OS reinstalled - with Linux or a commercial UNIX, or even, zOS if need be, and the data you've deleted has been restored from backup CDs, and everywhere there are billboards on the road proclaiming that whomever isn't updating their computer is giving Hitler a drive. Would it be as easy to go on inflicting damage then?

    1. Re:How much damage can be done sustainably? by girlintraining · · Score: 4, Interesting

      But what happens after a month when those computers have their OS reinstalled - with Linux or a commercial UNIX, or even, zOS if need be, and the data you've deleted has been restored from backup CDs

      Most businesses don't have disaster recovery plans. And those that do, like mine, haven't given much thought to the timetable on a full restore of all IT resources from nothingness. The one I'm working for right now has a 4 year plan for rolling out Windows 7 that started last month. In other words, they started the rollout late, and they'll be deploying outdated tech well past the point when the next version comes out. This just loading the operating system... consider all the other IT resources that would need to be rebuilt.

      On to data backup and restore functionality: All the backups are stored on NAS devices that are always connected. There is no offline backup. They don't use tapes, optical media, or any of that jazz. And most of those backups are located on-site, adding insult to injury. It's taking them 4 years to roll out an operating system remotely, the process is largely manual, riddled with errors, and each system requires, on average, 3 hours of support resources to complete the upgrade.

      Without getting into details, this is a Fortune 100 company, and because of the nature of its business is required by law to have stringent backup policies as well as data protection. The state of the art encryption and data protections can all be catastrophically bypassed by design using a 4 digit PIN. the 4 digit pin... is the last 4 digits of the user's SSN. The first and last name, as well as geolocation information, is in active directory, which even the 'guest' account can access. Every person who works support, from phone to desktop, network to deployment, as local admin rights to every workstation in the company. Do the math. Then cry.

      This... is typical for most large businesses.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:How much damage can be done sustainably? by Sarten-X · · Score: 4, Informative

      Oh, how true that is.

      I've described my current employer's systems as a very large "what's wrong with this picture?" puzzle. This past week I found out that our remote offices aren't even logging on to our domain controller (located in the main office), because DNS requests weren't routed properly. Rather, the users there logged into their workstations with local accounts, then used RDP to access a workstation in the main office where they did all the actual work. For speed, they'd occasionally email themselves a file to be modified in a local copy of Office.

      Effectively, this means that our confidential corporate data was being stored on machines with no password protection, despite the corporate password policy.

      Never assume that being a big company implies any kind of decent security or sane practices. The disconnect between the ones who know and the ones who manage is just too great.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  6. Oh, please ... by cdrguru · · Score: 4, Interesting

    Has anyone in the US Military stopped to notice what critical supplies are manufactured solely in China today? I do not mean just armaments, but stuff that the US military would be utterly unable to move without. Stuff like light bulbs. Fuel filters. Glass containers.
    Simple little things that the last US manufacturer closed down for either recently or as far back as 1980.

    Do we still make toilet paper in the US? I suspect there may only be one factory that does and it will probably close down soon. It is much cheaper to have it made over there and shipped here.

    We cannot possibly win a conflict with China - they would cut off our supply of manufactured items and the military would just grind to a halt.

    Sure, they could probably shut down a couple of factories making classified munitions, but who cares? They figured out that troops don't fight without toilet paper in WW I and trust me, it hasn't gotten any better. They cut off our supply of toilet paper and the US population would storm Washington and demand an end to the conflict immediately. I am not kidding here.

    1. Re:Oh, please ... by fuzzyfuzzyfungus · · Score: 4, Informative

      This is somewhat orthogonal to your overall point; but the US actually does a substantial percentage of pulp and paper production domestically. We've got plenty of land suitable for growing paper-grade timber, plenty of riverfront space for siting mills, and the economics of shipping low end lumber and mundane paper products long distances aren't all that thrilling compared to the relatively modest premium you pay for domestic employees.

    2. Re:Oh, please ... by Sarten-X · · Score: 4, Insightful

      On the other hand, China knows the US's reliance on its products, and knows that there is sufficient sentiment in America to restart such closed businesses. If China ever does shut down shipping, American factories will start back up quickly. We have the equipment and the people, both just waiting for a market to support them. I doubt very much that America would lose a war with China. We'll certainly be beaten back and spend the first several years hurting, but the logistics of China actually "winning" are a very tough obstacle. Both nations have the natural resources to continue fighting through the foreseeable future.

      It's partly for that reason that I see a war as highly unlikely, despite the saber-rattling on both sides. Both nations are economically attached tighter than ever before, and they both must recognize it, despite the political irritation.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    3. Re:Oh, please ... by JimCanuck · · Score: 3, Interesting

      And Canada and the US sold hundreds of millions of bushels of grain to the USSR during the 1950's to 1980's, including the "height" of it with the Cuban Missile Crisis etc.

      Don't let political posturing fool you, some decisions, such as helping your enemy feed its people is a better olive branch then any peace treaty or alliance.

  7. Re:Military using the public Internet?!? by Daniel+Dvorkin · · Score: 4, Interesting

    One the things TFA mentions is how many of the targets wouldn't actually be military, but rather civilian contractors which the military needs to run day-to-day operations. This isn't a computer security problem, it's a cultural problem. The contracting / privatization craze has hit the military in a big way. I know this will sound like old-soldier grumbling, but when I was in (late 80s to mid 90s) we didn't have this problem, much. We had plenty of civilian contractors around, sure, but combat-critical logistics and maintenance functions were handled by people in uniform. Now we have a situation where units engaged in active combat can't function unless civilians who are not under oath and are not trained for the situation (and who are often paid much, much more than soldiers used to be to perform the same jobs; the "privatization saves money" argument is complete bullshit) decide to show up for work that day. The military needs to be able to handle its own operations in a war zone, and right now, it can't do that.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
  8. Just read TFA by vikingpower · · Score: 4, Informative

    "may" employed about 100 times ( order of magnitude, I lost count ). "would" exactly 59 times, in 109 pages of text ( not counting the appendix and refs/bibliography part).

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  9. impeding combat effectiveness by 10am-bedtime · · Score: 3, Interesting

    Another (highly upstream) impediment to combat effectiveness is a change of attitude away from combat-based resolution. O, to have hackers so skilled, from any nation, that yang may cede to yin, at least for a few years, in our lifetimes...

    (end lament)

  10. why are critical systems on the net to begin with? by joneil · · Score: 5, Insightful

    Mod me double plus idiot if you will, but in our small company, our "critical computer" - the one hat has files I don't want to loose (yes, i do back ups), and the one I don't ever want hacked, it is NEVER connected to the internet. No wifi, no bluetooth, no cable, nada, zilcho. I even have independent power supply aside from plugging it into the wall.

      Anything I need to introduce into the computer id done by a freshly formatted USB, and double checked and scanned first on a different machine running linux. When not in use, I physically turn it off and disconnect the power supply, and if the hackers can get into a machine with no power, well, I;ll just go back to pen and ink at that point. :)

            Now seriously, I know you cannot turn off a computer that is running a nuke plant or a NORAD radar system, but why are so many critical systems connected to the internet? Or have online access of any kind? Back in the good old days of BBSes when I was a sysop and upgrading form a 9600 baud modem to a 28,800 like like a miracle (you know, this was back way when dinosaurs still roamed the earth, or so my kids see it as such :) ), the quickest way sometimes to block a hacker attack as to physically disconnect the phone line from the modem.

            Again, mod me super simplistic idiot, but if I were operations manager for a nuke plant, and a major cyber attack was underway, to prevent a meltdown, wouldn't you be tempted to just take a pair of wire cutters and snip the physical connection to the internet?

  11. Re:Pass a law, carve off a piece of the GDP by Securityemo · · Score: 3, Interesting

    Viktor Suvorov, "Inside the Soviet Army"? The laugh-or-cry gallows humour in that book is absolutely brilliant. You really feel with the author. It reminded me about Solsjenitsyns unsentimental yet gripping descriptions of the gulags.

    --
    Emotions! In your brain!
  12. Re:If there's a conflict by Anonymous Coward · · Score: 3, Interesting

    All of this talk about China winning any kind of conflict is hocus pocus. What China could do is cause a severe amount of damage to cyber infrastructure and repel any occupational force on the mainland. What they could not do is reach beyond their own border militarly, aquire enough energy to wage war, or find access to friendly markets once the war started. China may be a big economy but without the support of the world European and Japanese powers they would have an awful hard time keeping a stable economy. Additionally large swaths of the interior of China are in fact recent acquisitions(occupations) with populations just itching for a chance to strike back at the ethnic Han Chinese. The US arming the muslims and tibetans could create hell for China at home. Compare this to the strategic position of the US with its unabated control of all oceanic routes, being surrounded by mostly friendly nations, having a solid energy supply, and no significant domestic threats leads me to think the long term strategic implications for Chinese aggression are abysmal. Cyber war could be shut down quickly with the destroying of communications networks in china with EM weapons if need be.