Slashdot Mirror
U.S. Defense Secretary Warns of a Possible 'Cyber-Pearl Harbor'
SpzToid writes "U.S. Secretary of Defense Leon E. Panetta has warned that the country is 'facing the possibility of a "cyber-Pearl Harbor" and [is] increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government.' Countries such as Iran, China, and Russia are claimed to be motivated to conduct such attacks (though in at least Iran's case, it could be retaliation). Perhaps this is old news around here, even though Panetta is requesting new legislation from Congress. I think the following message from Richard Bejtlich is more wise and current: 'We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.' Times do changes, even in the technology sector. Currently Congress is preoccupied with the failure of U.S. security threats in Benghazi, while maybe Leon isn't getting the press his recent message deserves?"
Haliburton now has a kompootar division that needs money.
You mean, the US could spent less money on fearmongering, sting operations to trick poor and socially outcast citizens into conducting fake terrorist attacks for TV. Far flung surviallence systems, which don't work.
Instead of this crazy cloak and dagger shit, they could have invested in systems that were secure by default, and well coded that would resist cyber assault. In fact with the money spent, I'm sure they could simply paid many many many programers to do nothing but check and re-double check code, fuzz, and re-fuzz a bunch of apps until cyber breakins were not feasaible.
I am sure they could have done the same with all routers, and in the case of a massive foriegn DDoS, simply firewalled it.
Honestly... does this come as any surprise to anyone on /.?
When I heard about Flame and Stuxnet it was as if every cyberfiction story I read in the 80's had finally come true. Mentally, I'm already prepared.
Bring on the onslaught of Jihadist Erectile Dysfunction Spam!
In the future, I would want to not be isolated from my friends in the Space Station.
They just have to make all U.S. routers drop packets with the Evil bit set. Problem solved.
The Tao of math: The numbers you can count are not the real numbers.
I could never understood why America doesn't improve its cybersecurity, but if the plan is the same as with Pearl Harbor that would explain it. The US leaves their systems open and lures China to attack them to get a convincing casus belli for their counterattack, just like they did in WW2.
Given that the general public won't even know the difference between a genuine attack and just turning off the power grid? Pretty damn easily! (But, of course, for extra convincingness points, they can always use the years of detailed forensic work done by security analysts on viruses like Stuxnet to fabricate the fingerprint of their attacking nation of choice.)
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
If control to the nation's power grid is accessible over the internet, then we have problems far more serious than hackers. It's almost like the head of Homeland Security doesn't even know how to use email.
Of course the idea is to do it in a way that it cannot be traced back. Or even, so that it looks as if someone else did it. For example, hack into an Iranian computer, and attack the U.S. power grid from there. The CIA will find out that the attack came from Iran, and won't look further.
The Tao of math: The numbers you can count are not the real numbers.
I vote to call it Perl Harbor. You know, hackers and stuff...
Ezekiel 23:20
Given that the US is the main protagonist in this field they should be careful what precedent they set...
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
persian1234: hey baby, wanna cyber?
panetta_l: sure
persian1234: aight, i put on my flight suit and helmet
---
Is this the MPAA? Is this the RIAA? Is this the DMCA? I thought it was the USA!
So it would be a line noise attack?
The Tao of math: The numbers you can count are not the real numbers.
Why not leave them on an intranet
No! Never connect critical computer systems to an intranet (assuming you mean a general purpose internal network).
It's just too easy for a worm infection to create a bridge with the internet, or some person connecting his laptop to his phone to read slashdot and thereby creating a bridge.
These systems should be on their own network, and all communication should be encrypted using public-private key pairs (secure tunnels, so systems can only communicate with other systems when they're allowed to). Managing the keys/tunnels would be a hassle (making sure an authorized human is in the loop), but good security always has its costs.
http://www.pcmag.com/article2/0,2817,2410931,00.asp
He's still good for entertainment some days. And he's got this one nailed: "Cyber War? Bring It On! : The so-called imminent threat of cyber-attack by U.S. enemies is another in a long line of fear-mongering propaganda lines."
Why do we expose ourseles to such risks in the first place? Because we are willing to trade efficiency and lower cost now for certain vulnerabilities, that's why.
Nothing says we HAVE to have the power grid and other essential utilties on a non-isolated network. We do so because it's convenient and saves money in the short run.
If it's not practical to physically isolate the electrical grid's control systems from the rest of the world, at the very least put each one in a "bubble" and make sure all traffic into that "bubble" is authenticated. Virtual private networks go a long way towards making this possible. Having said that, physically isolating the electrical grid's command and control from the "outside world" and doing the same for other key infrastructures would be ideal if cost was not a factor.
Heck, if you even run a building or campus with things like HVAC that can be controlled by telephone or Internet, make darn sure that any request that could do actual harm (e.g. raising or lowering the temperature outside of reasonable levels, turning off power to an area without raising an alarm, disabling alarms, etc.) is authenticated, or better yet, don't allow such requests from outside of trusted physical locations, such as certain authorized computers that are on the same RELATIVELY SMALL physical network or sub-network as your HVAC's control computer, locked/secured control panels, etc. You do NOT want some guy in China turning off the heat at 2AM on a sub-freezing night, and if you can't stop them from doing it, you don't want them to turn off the alarms that will go off when the temperature of the water pipes drops close to freezing.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
a false flag, just like the Gulf of Tolkien
Those middle-earth bastards sucked us in!
I'm guessing: The U.S. Secretary of Defense has no knowledge of computer technology whatsoever, except what he learned from his children. But he wants to be cool, seem knowledgeable, get his name in the news, and get government contracts for associates, so he put his name on a scary memo written by his staff, who also have such associates.
That's a guess, but it seems a likely guess given the fact that technically knowledgeable people use different language and recommend examination of code for security problems and sloppiness.
Some of those who want government corruption want continuous war because government "defense" contracts provide easy profits, and it is easy to keep corruption secret.
If they get easy money, the corrupters don't care who is killed, what lives and property are destroyed, or how much money is wasted. For example, the book Funding the Enemy: How U.S. Taxpayers Bankroll the Taliban provides a huge amount of detail about a small part of the corruption.
Divide the cost to the U.S. taxpayer of just the war in Afghanistan ($574,624,781,538) by the population of Afghanistan (35,320,445). The U.S. taxpayer has already paid 16,268 hard-earned dollars for every man, woman, and child in Afghanistan. The results: Mostly, things are worse.
If those who want corruption can't get the taxpayers to pay for killing other people, they want "cyber war". See, for example, Obama Order Sped Up Wave of Cyberattacks Against Iran.
The U.S. government has invaded or bombed 27 countries since the end of the 2nd world war.
Constant war makes us poor.
We need IT unions to make so cut cutting does not end up being useing outsourcing as well as real hands on training and not just book based theory leaning.
Biology question: how do I throw a zinger about "consporacy theories" at a biologist?
Ahhh, you're not trying hard enough. One word: Anthrax!
You don't even need the real thing. A bit of flour in an envelope stuffed into random screen door mail slots in residential neighbourhoods overnight, and you can shut an entire city down for days, maybe weeks. You can even bribe homeless winos with a bottle to do it early in the morning (tell them it's a promotional campaign for a contest and give 'em a cheap bottle of ripple to do it).
Worked on Congress.
"Tongue tied and twisted, just an Earth bound misfit
Mod parent up.
Pearl Harbor was bait. Major "oops" that the Japs used shallow-running torpedoes thus making a bigger mess, but hubris is a bitch. The British figured out how to plink ships in shallow harbors:
http://suite101.com/article/the-battle-of-taranto---inspiration-for-pearl-harbour-a307392
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
There are three areas that need attention - electric power distribution, pipelines, and financial systems - because the impacts are high and restoration times are long.
Power systems have Internet connections because, in the US, they are now market systems, and the bidding process between the various parties is conducted over the Internet. The seven US power grids worry a lot about this, but it's not clear if they worry enough. What needs to be done there is to insure that restoration after a failure in the high voltage network is faster. Worst case downtimes should be brought down from days (as in 2003) to hours. All plants bigger than 250MW or so should be required to have cold start capability, so they can start up and idle even if the grid is down.
Pipelines I don't know enough about, so I won't say much about that.
The financial system is a real worry. If the US had a week-long disruption of New York based trading, the center of the financial world would move elsewhere. In 2001, the non-US exchanges weren't big enough to take over. That's no longer the case. Of the top 5 stock exchanges, only one, the NASDAQ, is entirely in the US. London, Tokyo, Shanghai, and Hong Kong could take over.
By cyber pearl harbor, does he mean that the attack will destroy obsolete equipment, leaving critical infrastructure and equipment safe while at the same time providing an excuse for the us government to start a war ?
> There is more likelihood of a million monkeys randomly typing for a million years to
> create one of Shakespeare's plays than for creating a truly secure OS in the manner
> described. And even coming close could not be done before whatever product is
> completely, totally irrelevant from obsolescence.
The first question in many security cases is "WTF was the idea behind connecting it to the internet?" Many SCADA systems are controlled by Windows computers which are often net connected. Disconnect the system from the net (wired and wireless), and turn off autorun/autoplay on the machines, disable USB port access for all but authorized personnel. It may not be perfect, but it'll be a lot better than today.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user