Slashdot Mirror
U.S. Defense Secretary Warns of a Possible 'Cyber-Pearl Harbor'
SpzToid writes "U.S. Secretary of Defense Leon E. Panetta has warned that the country is 'facing the possibility of a "cyber-Pearl Harbor" and [is] increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government.' Countries such as Iran, China, and Russia are claimed to be motivated to conduct such attacks (though in at least Iran's case, it could be retaliation). Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress. I think the following message from Richard Bejtlich is more wise and current: 'We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.' Times do changes, even in the technology sector. Currently Congress is preoccupied with the failure of U.S. security threats in Benghazi, while maybe Leon isn't getting the press his recent message deserves?"
Haliburton now has a kompootar division that needs money.
You mean, the US could spent less money on fearmongering, sting operations to trick poor and socially outcast citizens into conducting fake terrorist attacks for TV. Far flung surviallence systems, which don't work.
Instead of this crazy cloak and dagger shit, they could have invested in systems that were secure by default, and well coded that would resist cyber assault. In fact with the money spent, I'm sure they could simply paid many many many programers to do nothing but check and re-double check code, fuzz, and re-fuzz a bunch of apps until cyber breakins were not feasaible.
I am sure they could have done the same with all routers, and in the case of a massive foriegn DDoS, simply firewalled it.
Honestly... does this come as any surprise to anyone on /.?
When I heard about Flame and Stuxnet it was as if every cyberfiction story I read in the 80's had finally come true. Mentally, I'm already prepared.
Bring on the onslaught of Jihadist Erectile Dysfunction Spam!
In the future, I would want to not be isolated from my friends in the Space Station.
They just have to make all U.S. routers drop packets with the Evil bit set. Problem solved.
The Tao of math: The numbers you can count are not the real numbers.
... fabricated by the same people making the claim?
What the hell do they expect? They place critical computer systems online and they expect them to be safe? Why not leave them on an intranet and not worry about it.. Stop giving crackers a way to access the systems and nothing can happen... If the systems are so sensitive it seems logical right?
I think the tech's have pointed this out, again and again. Quit connecting critical systems to open networks, even indirectly. There's just no need to send control data across a public network, and no need for an engineer to be able to control a power station and read dilbert from the same computer. So there's no need to have that system accessible, even via a firewall, by Iran etc.
Problem solved.
I'm more shocked by this:
http://www.youtube.com/watch?v=pKaXqoC4DjE&feature=related
I'm shocker, firstly by the blatant voting fraud of it, but more shocked that nobody reported it and the first I found out about it was some comment in Slashdot. Not even an article, a single comment. If you haven't watched it, watch it, it's an eye opener.
I could never understood why America doesn't improve its cybersecurity, but if the plan is the same as with Pearl Harbor that would explain it. The US leaves their systems open and lures China to attack them to get a convincing casus belli for their counterattack, just like they did in WW2.
If control to the nation's power grid is accessible over the internet, then we have problems far more serious than hackers. It's almost like the head of Homeland Security doesn't even know how to use email.
Of course the idea is to do it in a way that it cannot be traced back. Or even, so that it looks as if someone else did it. For example, hack into an Iranian computer, and attack the U.S. power grid from there. The CIA will find out that the attack came from Iran, and won't look further.
The Tao of math: The numbers you can count are not the real numbers.
What's the chance of a person in the U.S. being killed or harmed by any sort of terrorist attack? I don't remember exactly, but I know I'm far more likely to die or get hurt every time I hop into my car, so I hope Uncle Sam will forgive me for not jumping up and shitting my pants in fear this very second.
I vote to call it Perl Harbor. You know, hackers and stuff...
Ezekiel 23:20
Given that the US is the main protagonist in this field they should be careful what precedent they set...
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
persian1234: hey baby, wanna cyber?
panetta_l: sure
persian1234: aight, i put on my flight suit and helmet
---
Is this the MPAA? Is this the RIAA? Is this the DMCA? I thought it was the USA!
Leave systems wide open to outside, then act surprised when said systems are attacked and scream to congress for new legislation to try to "fix" the problem. Hell, the solution is simple: close critical systems to outside access. However, this might mean that it would be necessary to spend extra money because access is now more difficult. And we surely wouldn't want any corporate or governmental entity to have to spend extra money, now would we?
So it would be a line noise attack?
The Tao of math: The numbers you can count are not the real numbers.
Gee it is now common knowledge that the U.S. LET Pearl Harbor happen... Thank you Dusko Popov for exposing that in your book "Spy Counter Spy". And more and more proof is coming out about how 9/11 was also a false flag, just like the Gulf of Tolkien, lets not forget Oklahoma City, just like the nasty things outlined in "Operation Northwoods" - no tinfoil hat needed here - the facts are all out in the open and available for all to read. If this happens - we will know the government did it... Heck remember when they said "what we need is another pearl harbor event..." - hmmm what happened - OH YEAH 9/11! Now they are saying it again - keep your eyes open - they are about to do something really nasty to you - AGAIN!
The Truth is a Virus!!!
....does include cyber-Kate Beckinsale, doesn't it?
http://www.pcmag.com/article2/0,2817,2410931,00.asp
He's still good for entertainment some days. And he's got this one nailed: "Cyber War? Bring It On! : The so-called imminent threat of cyber-attack by U.S. enemies is another in a long line of fear-mongering propaganda lines."
Why do we expose ourseles to such risks in the first place? Because we are willing to trade efficiency and lower cost now for certain vulnerabilities, that's why.
Nothing says we HAVE to have the power grid and other essential utilties on a non-isolated network. We do so because it's convenient and saves money in the short run.
If it's not practical to physically isolate the electrical grid's control systems from the rest of the world, at the very least put each one in a "bubble" and make sure all traffic into that "bubble" is authenticated. Virtual private networks go a long way towards making this possible. Having said that, physically isolating the electrical grid's command and control from the "outside world" and doing the same for other key infrastructures would be ideal if cost was not a factor.
Heck, if you even run a building or campus with things like HVAC that can be controlled by telephone or Internet, make darn sure that any request that could do actual harm (e.g. raising or lowering the temperature outside of reasonable levels, turning off power to an area without raising an alarm, disabling alarms, etc.) is authenticated, or better yet, don't allow such requests from outside of trusted physical locations, such as certain authorized computers that are on the same RELATIVELY SMALL physical network or sub-network as your HVAC's control computer, locked/secured control panels, etc. You do NOT want some guy in China turning off the heat at 2AM on a sub-freezing night, and if you can't stop them from doing it, you don't want them to turn off the alarms that will go off when the temperature of the water pipes drops close to freezing.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So you think you could not kill people this way? Note that the target of the attack would not be some private computers. Are you sure you cannot intentionally steer a nuclear power plant into a disaster? What about chemical factories? What about hydropower dams? I guess you could kill quite a few people by just opening the water gates.
The Tao of math: The numbers you can count are not the real numbers.
us declaring some kind of cyber oil and cyber food embargo against a country, and them retaliating somehow for our absurd decision to stick our cyber dicks into someone elses cyber...shesh. cant we just paraphrase the good secretary and say, "I think we need to spend more time bashing china and drumming up war with iran, while at the same time blowing through the rest of this years defence budget through government contracts to multi billion dollar corporations"
Good people go to bed earlier.
This reminds me about a recent news story about our telephone networks' vulnerabilities.
In addition to fixing the security vulnerabilities in the network, it's time to fix the vunerabilities to end users:
It's high time to stop completely falsified caller-ID. I'm fed up with calls from "U. S. Pharmacy" or "Canadian pharmacy" from numbers that are either non-existant or that belong to someone else.
If the caller-ID information can't be authenticated by the sending caller's phone company OR the sending caller's phone company isn't trusted by the receiving caller's phone company to provide authenticated caller-id information, the called-party's phone should just show "unavailable" for the number or possibly "UNVERIFIED" followed by the alleged phone number.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Is suspiciously suspicious. It's almost like.....it's election time, or something...
FTFA:
It would require new standards at critical private-sector infrastructure facilities — like power plants, water treatment facilities and gas pipelines — where a computer breach could cause significant casualties or economic damage.
In August, a cybersecurity bill that had been one of the administration’s national security priorities was blocked by a group of Republicans, led by Senator John McCain of Arizona, who took the side of the U.S. Chamber of Commerce and said it would be too burdensome for corporations.
So a new bureaucracy to create standards of questionable usefulness, and then to enforce their compliance.
. . . then he adds:
“We’re not interested in looking at e-mail, we’re not interested in looking at information in computers, I’m not interested in violating rights or liberties of people,” Mr. Panetta told editors and reporters at The New York Times earlier on Thursday. “But if there is a code, if there’s a worm that’s being inserted, we need to know when that’s happening.”
Please elaborate on what exactly you are talking about there, Mr. Panetta . . . ? It sounds to me like that means more snooping . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Like most stuff that comes out of Washington, it's pure shadow-theater. Or maybe just a bad clown show.
... in which a gullible public is suddenly dive-bombed - without a formal declaration of war - by inadequate but impressive-sounding metaphors comparing present-day dangers with historical military engagements.
http://en.wikipedia.org/wiki/Brittle_Power
"Brittle Power: Energy Strategy for National Security is a 1982 book by Amory B. Lovins and L. Hunter Lovins, prepared originally as a Pentagon study, and re-released in 2001 following the September 11 attacks. The book argues that U.S. domestic energy infrastructure is very vulnerable to disruption, by accident or malice, often even more so than imported oil. According to the authors, a resilient energy system is feasible, costs less, works better, is favoured in the market, but is rejected by U.S. policy. In the preface to the 2001 edition, Lovins explains that these themes are still very current."
We in the USA need a security strategy the emphasizes intrinsic security and mutual security over extrinsic security and unilateral security. More on that here:
http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
China depends too heavily on our economy. If they bring it crashing down they are crippling their biggest consumer and they will be facing huge internal problems as a result. If we get on our feet economically in the future then it's more likely.
Iran is much more of a loose cannon. It's hard to say, though, if they have the skillz required.
the country is 'facing the possibility of a "cyber-Pearl Harbor"
Hawaii is going to lose their internet connection and won't be able to play Ubisoft games.
There is no such thing as secure by default (except maybe for a brick), and no theoretical possibility of such a thing. There is more likelihood of a million monkeys randomly typing for a million years to create one of Shakespeare's plays than for creating a truly secure OS in the manner described. And even coming close could not be done before whatever product is completely, totally irrelevant from obsolescence.
I'm guessing: The U.S. Secretary of Defense has no knowledge of computer technology whatsoever, except what he learned from his children. But he wants to be cool, seem knowledgeable, get his name in the news, and get government contracts for associates, so he put his name on a scary memo written by his staff, who also have such associates.
That's a guess, but it seems a likely guess given the fact that technically knowledgeable people use different language and recommend examination of code for security problems and sloppiness.
Some of those who want government corruption want continuous war because government "defense" contracts provide easy profits, and it is easy to keep corruption secret.
If they get easy money, the corrupters don't care who is killed, what lives and property are destroyed, or how much money is wasted. For example, the book Funding the Enemy: How U.S. Taxpayers Bankroll the Taliban provides a huge amount of detail about a small part of the corruption.
Divide the cost to the U.S. taxpayer of just the war in Afghanistan ($574,624,781,538) by the population of Afghanistan (35,320,445). The U.S. taxpayer has already paid 16,268 hard-earned dollars for every man, woman, and child in Afghanistan. The results: Mostly, things are worse.
If those who want corruption can't get the taxpayers to pay for killing other people, they want "cyber war". See, for example, Obama Order Sped Up Wave of Cyberattacks Against Iran.
The U.S. government has invaded or bombed 27 countries since the end of the 2nd world war.
Constant war makes us poor.
the power grid needs to be able to link the sub stations , power plants, control centers to each other.
We need IT unions to make so cut cutting does not end up being useing outsourcing as well as real hands on training and not just book based theory leaning.
Mod parent up.
Pearl Harbor was bait. Major "oops" that the Japs used shallow-running torpedoes thus making a bigger mess, but hubris is a bitch. The British figured out how to plink ships in shallow harbors:
http://suite101.com/article/the-battle-of-taranto---inspiration-for-pearl-harbour-a307392
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Ho, flame is not enough, they need budget for the next virus...
Yeah, because smashing a centrifuge is so less likely to be detected than planting malware.
From http://en.wikipedia.org/wiki/Stuxnet#Windows_infection:
well what about triggering fail safe shutdowns? Hacks can just try to triggering one or trigger the alarms and you better hope someone is on site to handle that alarm.
Mod parent up.
It'd be a waste of mod points; shills in their cubicles at Fort Meade are actually earning their salaries today! :p
There are three areas that need attention - electric power distribution, pipelines, and financial systems - because the impacts are high and restoration times are long.
Power systems have Internet connections because, in the US, they are now market systems, and the bidding process between the various parties is conducted over the Internet. The seven US power grids worry a lot about this, but it's not clear if they worry enough. What needs to be done there is to insure that restoration after a failure in the high voltage network is faster. Worst case downtimes should be brought down from days (as in 2003) to hours. All plants bigger than 250MW or so should be required to have cold start capability, so they can start up and idle even if the grid is down.
Pipelines I don't know enough about, so I won't say much about that.
The financial system is a real worry. If the US had a week-long disruption of New York based trading, the center of the financial world would move elsewhere. In 2001, the non-US exchanges weren't big enough to take over. That's no longer the case. Of the top 5 stock exchanges, only one, the NASDAQ, is entirely in the US. London, Tokyo, Shanghai, and Hong Kong could take over.
Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress.
I hope by that she means laws funding more and better security (actual security, not security theatre) and not laws making it illegal for foreign powers to attack US networks.
If you need that explained, shoot yourself.
Assorted stuff I do sometimes: Lemuria.org
http://www.youtube.com/watch?v=M84l19H68mk
http://www.youtube.com/watch?v=9y29sCsh0oY
So SecDef and wop draft-dodger, Leon Panetta is warning the Iranians about their cyber-retaliation, threatening to offshore yet more jobs, yet more technology, yet more investment and defense secrets, to China, and take that, you Iranian baddies, whines Panetta.
Oh swee jaysus on a Harley, for chrissakes! Too late, Leon, AMD is already beginning their layoffs, chump! Will someone please vote for Dr. Jill Stein, the way I voted for Cynthia McKinney and Ralph Nader --- we've got to put an end to stooges in the White House --- and to think America has devolved to the point where a private equity leveraged buyout debt queen, like Willard Mitt Romney, born with a silver dildo in his mouth, would dare run for the presidency! (And we though McCain/Palin was nauseating....)
By cyber pearl harbor, does he mean that the attack will destroy obsolete equipment, leaving critical infrastructure and equipment safe while at the same time providing an excuse for the us government to start a war ?
...that the Chinese botmasters may have been the ones the Iranians hired in the first place.....
...reptile dysfunction????
Turns out the poor bastards just got into a DARPA cookie jar and ingested a cocktail of experimental psychotropic drugs. A V-22 Osprey generously packed with raw meat and bottled water has been delivered to sedate them. Once they are too full to move, Marines will enter and secure them with electrified steel chains and muzzles. With a mixture of education and eskrima-sticks, they will be slowly rehabilitated. In the meantime, a gang of substitute paranoid schizophrenics has been hand-selected from the finest wards of America which will provide national defense until the rehabilitation process is complete.
Forward! -- Emperor Norton, 2012
When some says "cyber", it means they are confused and frightened about technology, and should not, under any circumstances, be taken seriously on the subject.
Everybody and his granny knows that when you fill a country with computers and then let them manage actuators (you know: things that control real-world stuff), you introduce real-world vulnerabilities to cyberspace mayhem.
So you'd think that every single government branch in charge of some computer-controlled actuator would take very special care that said actuators can't be accessed by unauthorised people who happen to roam about, right?
Starting with secure routers, credible VPN connections, limited sets of clients that the routers will accept communications from, good and varied passwords (the kind that need to be written down and kept in a safe until it's time to use them), access logs being kept and checked on a regular basis, etc. Just like the physical access control such people get off on. All known stuff.
Add to that a way of ensuring that the government (local, state, federal) has a more or less guaranteed communication backup (e.g. private fiber, special priority circuits in telephone switchboards, or simple packet radio in restricted bands). Then ensure that critical communications like banks have a reasonable level of protections too. Transcribe all that into the telecoms act, make authorities responsible for abiding by those regulations and appoint somebody to check that they do. Costs a bundle but gives you peace of mind .. and (as a nation) insurance against basic attacks.
Except that people don't. That, incidentally, is why Gary McKinnon could stroll into various government systems: they were unprotected. Everyone knew and no-one cared. And guess what: our carefully cost-conscious government does the very same thing with the nation's actuators. Starting with traffic lights and going up all the way to the power grid.
Well people are stupid, lazy and focused on the short term. We know that. That's why we have regulations for so many things.
But Ok, ... if we collectively decide (for reasons of cost and convenience) to leave everything wide open, that's what we do.
But here's Panetta who thinks we ought to do the prudent thing, against our natural tendencies. So what happens? Does he settle the issue by having a quiet word in circles of power that generates bi-partisan support for basic communications security?
No. Of course not. People don't want to hear about reasons why anything should be added to their workload or anything should be done in anything but the cheapest, most thoughtless and most slapdash way.
So Panetta needs to drum up public support and he goes to the press with essentially the same story (that ought to be recognised as prudent by every representative anyway) and dresses it up in lurid foam-at-the-mouth war-rethoric. Doom! Pearl Harbour! Enemies are out to get us! The Chines/Russians/Islamists [cross out whichever is not applicable] are coming for us. To Arms!
It makes me so tired. Why can't we just secure our vital communications without raising the specter of war? I don't know whether to laugh or cry.
The January 19, 2010 BBC article, UN Afghanistan survey points to huge scale of bribery says, "According to the UN survey, bribes averaged $160 (£98) in contrast to an average Afghan annual income of $425."
After bribes are paid, the income is $265. But that is misleading, because people who take the bribes are included in the overall average. So the average income for those who don't get bribes is apparently much less than $265.
Using $265 as the figure, U.S. taxpayers paid the equivalent of 61 years income for average people (16,268 per person, as mentioned above) to the rich people in Afghanistan who take bribes and participate in corruption. Numerous articles say the lives have average people haven't improved much.
The US gov. should stop it's phantasm of "cyberwar", and downed power grids...
Hey guys, nobody wants to put in the effort to down your power grid. It does not give any country an advantage, except the US themselves. Fact.
aaaaaaa
`U.S. Secretary of Defense Leon E. Panetta has warned that the country is 'facing the possibility of a "cyber-Pearl Harbor" and [is] increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government'.
...
Assuming this is the case and not a pretext for getting a bigger budget, then it's largely self inflicted due to the excessive and compulsory use of Windows in finance, government and the DHS itself
AccountKiller
Just shows you it was poorly designed in the first place and needed to be torn down.
---- Booth was a patriot ----
Whatever mayhem a "cyber-atttack" might cause, it is almost inconceivable that it could rival the destruction and loss of life of the attack on Pearl Harbor.
It is insulting to those who died to imply otherwise.
My Grandfather served in the navy during the war, but was not at Pearl Harbor when it was attacked.
He was, however, briefly assigned to the detail that had to help clean out the dead, bloated bodies from the ships that were sunk in the attack.
Leon E Panetta, you are an asshole. Unless we do something insanely stupid like hooking gas valves, electrical substations, or their like directly to the Internet, the possibility of a "cyber-Pearl Harbor" is a fllat zero. Respect those who lost their lives for our freedom and temper your fucking hyperbole.
> There is more likelihood of a million monkeys randomly typing for a million years to
> create one of Shakespeare's plays than for creating a truly secure OS in the manner
> described. And even coming close could not be done before whatever product is
> completely, totally irrelevant from obsolescence.
The first question in many security cases is "WTF was the idea behind connecting it to the internet?" Many SCADA systems are controlled by Windows computers which are often net connected. Disconnect the system from the net (wired and wireless), and turn off autorun/autoplay on the machines, disable USB port access for all but authorized personnel. It may not be perfect, but it'll be a lot better than today.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> So a new bureaucracy to create standards of questionable usefulness, and then to enforce their compliance.
If you like the TSA, you'll love the ITSA (IT Safety Administration). You'll have a minimum-wage "security officer" sticking their hand up your ass before you sit down in front of your computer.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Security firms are right when they claim that the US infrastructure is vulnerable. Xecco Trading using Chinese developers who wrote the code that connected both to the ACH transfer network as well as the trading exchanges. Bang, $4B USD under management worth of stock dumped and the funds transferred out. Titron was thrilled when a Chinese firm offered to replace their 3 chip zigbee + meter management + crypto cheap with an all-in-one, manufactured and delivered for pennies for their smart meters.
But the response is worse. U.S. Gov't is being influenced to award contracts to the firms that can boast 300 or more "Top Secret" cleared engineers ... i.e. M.D., etc. And their ability to deliver functional software is a joke. Further, these contracts are written for version 1.0. Want version 1.1 (with bug fixes?), U.S. has to pay the SAME PRICE as the 1.0. Indefinitely.
But there are some trying to rectify this. Get involved people. IARPA is a nice place to start, NSA does give grants for good tech, the DOD is not blinded to the ambitions of the big firms, and CyberCON is going on, right now, that will direct these budgets.
You can get involved!
Or is this the banksters way of chumming the waters for all the little fishies to swallow that all their hard earned money just simply disappeared. The sad thing is, sheeple are waking up. Lies show just how arrogant leaders have become. Humility will be restored at a cost yet dreamed of. The CON(gress)MEN have failed to realize anything, have failed to uphold the Constitution, have failed in the Stewardship of this country, have failed to divest themselves of avarice. If you are not of the LIGHT, then you cannot remain.
The mind conceives, the body achieves, the spirit manifests.
I'm right, they're trying to pin it on Iran.
http://www.nytimes.com/2012/10/14/world/middleeast/us-suspects-iranians-were-behind-a-wave-of-cyberattacks.html?_r=1
Is this different than the Electronic Pearl Harbor? That was supposed to happen a while ago. Maybe I missed it.
Will this one also be in Hawaii? Will Richard Clarke narrate it? He's been pushing for a new Pearl Harbor for a while.
I guess we'll have to wait. It turns out that these craven bullshit artists *don't* actually know what they're talking about.
Some dude called Gary McKinnon (note spelling, editurds) did the equivalent of flying over on December 5th and dropping eggs and flour bags on your ships.
I doubt any of the Pentagoons grokked the lesson, mind.
I think if they manage to frig about with power systems, aircraft navigation & the like it might be a bit more serious than one random nerd losing his pr0n & w4r3z collection.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."